Skip to content

blackadi/GraphAPI_addKey_API_SP

Repository files navigation

A DOTNET Core 3.1 console application sample calling MS Graph API to add a key credential to an application

For this demo we will use addKey API for application, but the code can be changed to use service principal instead.

This sample provides the ability to either call the addKey API using graph SDK or directly calling the graph API. More info here

Running the sample

Step 1: Clone this repository

From your shell or command line:

git clone https://github.com/blackadi/GraphAPI_addKey_API_SP.git

Step 2: Register the sample with your Azure Active Directory tenant

  1. Navigate to the Microsoft identity platform for developers App registrations page.

  2. Select New registration.

    • In the Name section, enter a meaningful application name that will be displayed to users of the app.
    • In the Supported account types section, select Accounts in this organizational directory only ({tenant name}).
    • Click Register button at the bottom to create the application.
  3. On the application Overview page, find the Application (client) ID and Directory (tenant) ID values and record it for later. You'll need it to configure the configuration file(s) later in your code.

  4. From the Certificates & secrets page, in the Certificates section, choose Upload certificate:

    • Select the certificate file you want to upload. It must be one of the following file types: .cer, .pem, .crt.

      Please be advised that this certificate will be utilized for authentication purposes with Microsoft Entra ID in place of client secrets.

    • Select Add.

  5. In the Application menu blade, click on the API permissions in the left to open the page where we add access to the Apis that your application needs.

    • Click the Add a permission button and then,
    • Ensure that the Microsoft APIs tab is selected
    • In the Commonly used Microsoft APIs section, click on Microsoft Graph
    • In the Application permissions section, ensure that the right permissions are checked: Application.ReadWrite.OwnedBy
    • Select the Add permissions button at the bottom.
  6. At this stage, the permissions are assigned correctly but since the client app does not allow users to interact, the user's themselves cannot consent to these permissions. To get around this problem, we'd let the tenant administrator consent on behalf of all users in the tenant. Click the Grant admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be the tenant admin to be able to carry out this operation.

Step 3: Create a private key and certificate

  • You can follow the instruction here, upload a valid certificate as it's needed when calling addKey API.

    Applications without any existing valid certificates (either no certificates have been added or all certificates have expired) will not be able to utilize this code sample. Instead, you can use the Update application operation via the Graph API to modify the keyCredentials property, or you can upload your valid certificates through the Azure portal as detailed here.

Finally, go back to the Azure portal. In the Application menu blade, click on the Certificates & secrets, in the Certificates section, upload the certificate you created.

Step 4: Configure the sample app to use your app registration

Open the project in your IDE (like Visual Studio) to configure the code.

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

  1. Open the appsettings.json file
  2. Find the app key ClientId and replace the existing value with the application ID (clientId) value you recorded earlier from the Azure portal.
  3. Find the app key TenantId and replace the existing value with the directory (tenant) ID value you recorded earlier from the Azure portal.
  4. Find the app key ObjectId and replace the existing value with your app registration (Object ID) value which can be found from the Azure portal.
  5. Find the app key Aud_ClientAssertion and replace {YOUR_TENANT_ID_HERE} with the directory (tenant) ID value you recorded earlier from the Azure portal.
  6. Find the app key CertificateDiskPath and replace the existing value with your exising self-signed certificate, for more info see this.
  7. Find the app key CertificatePassword and replace the existing value with your exising self-signed certificate password, for more info see this.
  8. Find the app key NewCertificateDiskPath and replace the existing value with your new self-signed certificate, for more info see this.
  9. Find the app key NewCertificatePassword and replace the existing value with your new self-signed certificate password, for more info see this.

Step 5: Run the sample

Clean the solution, rebuild the solution, and run it.

    dotnet run

About this sample

  • The code will generate client_assertion first, then will get access_token using client credentials flow

  • a proof of possession token will be generated and this JWT token must be signed using the private key of the application existing valid certificates.

  • Extract the key value of the new certificate which will be uploaded via addKey API request body.

  • Finally, call the API.

⚠️ The certificates used in this sample are for testing purposes only.