Add password secret to Entra applications during app creation

01/05/2024
Graph APIEntra appClient secret

Old way to create an Entra app and add password secret

For a long time when you need to create an Entra app with password secret, it required two steps:

  1. Create an Entra app
POST /v1.0/applications
Content-type: application/json

{
  "displayName" : "AppWithClientSecret"
}

With PowerShell SDK for Microsoft Graph:

Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$params = @{
	displayName = "AppWithClientSecret"
}

$app = New-MgApplication -BodyParameter $params
$appObjectId = $app.Id

It will create an Entra application for users with a Microsoft work or school account in your organization's Microsoft Entra tenant (single tenant).

  1. Add password

To add client secret, call POST /v1.0/applications/{id}/addPassword or Add-MgApplicationPassword cmdlet.

POST /v1.0/applications/{id}/addPassword
Content-type: application/json

{
  "passwordCredential": {
    "displayName": "Default secret"
  }
}

By default, it will create a client secret that will expire after two years.

PowerShell SDK:

Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$appObjectId = <application_object_id>
$params = @{
	passwordCredential = @{
		displayName = "Default secret"
	}
}

$appSecret = Add-MgApplicationPassword -ApplicationId $appObjectId -BodyParameter $params
$clientSecret = $appSecret.SecretText

Be aware about the parameter -ApplicationId, it represents an application object id.

Let's check the result in Microsoft Entra admin center

Client secret

New easy way to create an Entra app with password secret

Recently, the Graph API has improved an endpoint for Entra app creation and now the endpoint supports adding password secrets to applications during app creation.

POST /v1.0/applications
Content-type: application/json

{
  "displayName" : "AppWithClientSecret",
  "passwordCredentials" : [
    {
	  "displayName" : "Default secret"
	}
  ]
}

With PowerShell SDK for Microsoft Graph:

Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$params = @{
	displayName = "AnotherAppWithClientSecret"
	passwordCredentials = @(
		@{
			displayName = "Default secret"
		}
	)
}

$app = New-MgApplication -BodyParameter $params
$clientSecret = $app.passwordCredentails[0].SecretText

Result in Microsoft Entra admin center

Client secret

Limitations

The limitation is that you can add only one password secret during app creation. The Graph API doesn't allow to add multiple password credentials during app creation.

0
Buy Me a Coffee at ko-fi.com
An error has occurred. This application may no longer respond until reloaded. Reload x