Applications defined in Azure AD are allowed to make app-only calls by sharing a certificate with Azure AD. Azure AD will get the public key certificate and the app will get the private key certificate. Although a trusted certificate should be used for production deployments, cmdlet New-SelfSignedCertificate certificates are fine for testing/debugging (similar to local web debugging with https). Here are the steps to generate a self-signed certificate with cmdlet New-SelfSignedCertificate and exporting it for use with Azure AD.
Part 1: Generate a Self-signed Certificate
Open Windows PowerShell ISE.
Create a PowerShell script with the following content:
Code Block |
---|
language | powershell |
---|
theme | RDark |
---|
|
$cert = New-SelfSignedCertificate -DnsName www.mysite.com -CertStoreLocation "cert:\LocalMachine\My" -KeyLength 2048 -KeySpec "KeyExchange" -NotBefore 10/15/2019 -NotAfter 10/15/2021
$password
= ConvertTo-SecureString -String "mySecurePassword" -Force -AsPlainText
Export-PfxCertificate
-Cert $cert -FilePath ".\aspire.mysite.com.pfx" -Password $password
Export-Certificate
-Type CERT -Cert $cert -FilePath .\aspire.mysite.com.cer
|
- Update the value for -DnsName.
- Update the values for -NotBefore and -NotAfter .
- Update the password value.
- Update the -FilePath value for the cer and pfx files.
- Additional information about these parameters can be found in the New-SelfSignedCertificate page.
- Execute the PowerShell script. You need administrator permissions to successfully execute the script.
- Both files should be created in the specified location.
Part 2: Create the Azure AD Application
- Log into the Azure Management Portal for your Office 365 tenant.
- Go to the Azure Active Directory tab and select App Registrations.
- Select "New Registration".
- On "Supported account types" select "Accounts in this organizational directory only ".
- On "Redirect URI" select Web.
- Enter a Sign-on URL (the value of this doesn’t really matter other than being unique) and click "Register".
- Look for your new application on the Registered Applications list and click it.
- Go to API Permissions and click on "Add a permission".
- On the "Select an API" section, add the "SharePoint" application
- Select "Application Permissions" and check the following permissions:
- TermStore.Read.All: Read Managed Metadata.
- Sites.FullControl.All: Have Full Control of all Site Collections.
- Sites.Read.All: Read Items in all Site Collections.
- Click on "Add permissions".
- After saving you have to click "Grant admin consent" to apply the changes.
Info |
---|
On the Configure section you'll also see the Application ID. Copy and save this ID, you are going to need it when configuring the connector. |
- Go to "Certificates and secrets".
- Click on "Upload certificate".
- Select the certificate created on Part 1.
- Add the certificate.
Part 4: Generate Private Key
Info |
---|
You may need to download OpenSSL for Windows to follow these steps. |
Extract pem key
Code Block |
---|
|
openssl pkcs12 -nocerts -in <PFX Path> -out <PEM Path> |
Convert extracted pem key to der format
Code Block |
---|
|
openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM Path> -out <DER Path> -nocrypt |