Azure AD Enterprise Application SAML Token Encryption Certificate Issue

So the update I received from MS on this is that this will be fixed / patched the first week in June - yes, no, maybe so (?).

They recommended using Graph as a workaround via the method found here:

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption

I'm not too proud to admit that I'm not exactly strong on the straight up Graph side (even if it's staring at me in my face), but I was able to do a sort of work-around to get this working via combination of Powershell and the GUI.

I should also say that the Powershell method would be SUPER simple comparatively if it worked the way it's written in the above article. The article states that you can update the token encryption cert using Set-AzureADApplication but with the -TokenEncryptionKeyId <keyID> parameter. Even after updating my AzureAD modules I was unable to find this parameter for some reason so that made this a bit harder without being Mr. Graph. Anyway, this is what I did that seems to work (note: this is not a fix given by Microsoft so use at your own risk etc. etc.).

Use Powershell to inject the certificate into the app. This requires the AzureAD module.

# Connect to Azure AD if you aren't already
Connect-AzureAD

# Enter the name of the application you want to update
$AzureAppDisplayName = "APPDISPLAYNAMEGOESHERE"

# Put the certificate file name / location here
$CertificateFileNameandLocation = "C:\users\$Env:username\desktop\certname.cer"

# Establish the new cert object
$CertificateInfo = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

# Import your cert into this new object
$CertificateInfo.Import($CertificateFileNameandLocation)

# Get the cert's end date
$CertificateEndDate = [datetime]$CertificateInfo.GetExpirationDateString()

# Get the cert's raw data
$CertificateRawData = $CertificateInfo.GetRawCertData()

# Pull the cert's base64 value
$CertificateBase64Value = [System.Convert]::ToBase64String($CertificateRawData)

# Pull the cert's hash
$CertificateHash = $CertificateInfo.GetCertHash()

# Get the thumbprint
$CertificateThumbprint = [System.Convert]::ToBase64String($CertificateHash)

# Find the Azure App that matches your displayname
$AzureApp = Get-AzureADApplication -All:$True | Where-Object {$_.DisplayName -eq $AzureAppDisplayName}

# Create the new key credential
New-AzureADApplicationKeyCredential -ObjectId $AzureApp.ObjectId -CustomKeyIdentifier $CertificateThumbprint -Type AsymmetricX509Cert -Usage Encrypt -Value $CertificateBase64Value -EndDate $CertificateEndDate

When you do this it will present you several values.  One of which is a KeyId that looks like a typical GUID.  Copy that KeyId.

Now, go to into Azure AD in the GUI -> App Registrations -> All Applications.  Find the App you are working with and open it.  On the left click on Manifest.  Scroll all the way to the bottom and find the line that says:

"tokenEncryptionKeyId":"KeyIDofEncryptionCertGoesHere"

Replace the KeyID GUID listed on that line with the KeyID you generated from the script, then click Save.

Go back to your Enterprise Application blade / whatever -> find your app -> Click Token Encryption and it should show the new cert being the 'active' cert for the app's token encryption.

The only thing of note is that I purposefully left out the -StartDate parameter for the New-AzureADApplicationKeyCredential line because no matter what attribute value format I put (i.e. date/time, whatever), it wasn't happy.  Omitting it will set your start date as TODAY - no matter when the cert validity start date is, however the cert expiry should show correctly.

Hopefully this helps someone until this is fixed.