Forum Discussion
I_tried
May 25, 2023Copper Contributor
Azure AD Enterprise Application SAML Token Encryption Certificate Issue
Since at least last Friday we have been unable to upload/delete/activate/deactivate any of our certificates for token encryption in our AAD Enterprise Applications.
We currently have an open ticket with MS on this, but they haven't been responding the past few days. The last I've seen they said it was 'sent to the dev's' to look at. From my understanding this is happening on multiple tenants as well.
For the GUI, the errors are very basic:
Token Encryption (Preview)
Failed to import your certificate for token encryption.
Token Encryption (Preview)
Failed to delete certificate
Even trying to update them via Powershell fails. We get something to the effect of:
Update application credentials
Failed to delete certificate. Error detail: No KeyCredential found with the configured TokenEncryptionKeyId.... objectType: Microsoft.Online.DirectoryServices.Application
Anyone else seeing this?
- I_triedCopper ContributorIt looks like the devs have fixed this so the GUI is working once again. If by chance any of you read this - thank you.
- I_triedCopper Contributor
So the update I received from MS on this is that this will be fixed / patched the first week in June - yes, no, maybe so (?).
They recommended using Graph as a workaround via the method found here:https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption
I'm not too proud to admit that I'm not exactly strong on the straight up Graph side (even if it's staring at me in my face), but I was able to do a sort of work-around to get this working via combination of Powershell and the GUI.I should also say that the Powershell method would be SUPER simple comparatively if it worked the way it's written in the above article. The article states that you can update the token encryption cert using Set-AzureADApplication but with the -TokenEncryptionKeyId <keyID> parameter. Even after updating my AzureAD modules I was unable to find this parameter for some reason so that made this a bit harder without being Mr. Graph. Anyway, this is what I did that seems to work (note: this is not a fix given by Microsoft so use at your own risk etc. etc.).
Use Powershell to inject the certificate into the app. This requires the AzureAD module.
# Connect to Azure AD if you aren't already Connect-AzureAD # Enter the name of the application you want to update $AzureAppDisplayName = "APPDISPLAYNAMEGOESHERE" # Put the certificate file name / location here $CertificateFileNameandLocation = "C:\users\$Env:username\desktop\certname.cer" # Establish the new cert object $CertificateInfo = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 # Import your cert into this new object $CertificateInfo.Import($CertificateFileNameandLocation) # Get the cert's end date $CertificateEndDate = [datetime]$CertificateInfo.GetExpirationDateString() # Get the cert's raw data $CertificateRawData = $CertificateInfo.GetRawCertData() # Pull the cert's base64 value $CertificateBase64Value = [System.Convert]::ToBase64String($CertificateRawData) # Pull the cert's hash $CertificateHash = $CertificateInfo.GetCertHash() # Get the thumbprint $CertificateThumbprint = [System.Convert]::ToBase64String($CertificateHash) # Find the Azure App that matches your displayname $AzureApp = Get-AzureADApplication -All:$True | Where-Object {$_.DisplayName -eq $AzureAppDisplayName} # Create the new key credential New-AzureADApplicationKeyCredential -ObjectId $AzureApp.ObjectId -CustomKeyIdentifier $CertificateThumbprint -Type AsymmetricX509Cert -Usage Encrypt -Value $CertificateBase64Value -EndDate $CertificateEndDate
When you do this it will present you several values. One of which is a KeyId that looks like a typical GUID. Copy that KeyId.
Now, go to into Azure AD in the GUI -> App Registrations -> All Applications. Find the App you are working with and open it. On the left click on Manifest. Scroll all the way to the bottom and find the line that says:
"tokenEncryptionKeyId":"KeyIDofEncryptionCertGoesHere"
Replace the KeyID GUID listed on that line with the KeyID you generated from the script, then click Save.
Go back to your Enterprise Application blade / whatever -> find your app -> Click Token Encryption and it should show the new cert being the 'active' cert for the app's token encryption.
The only thing of note is that I purposefully left out the -StartDate parameter for the New-AzureADApplicationKeyCredential line because no matter what attribute value format I put (i.e. date/time, whatever), it wasn't happy. Omitting it will set your start date as TODAY - no matter when the cert validity start date is, however the cert expiry should show correctly.
Hopefully this helps someone until this is fixed. - brianvitamailcomCopper Contributor
I'm having the exact same problem.
A fix from MS would be nice!