SOLVED

Access denied for Set-AzureADApplicationProxyApplicationCustomDomainCertificate

%3CLINGO-SUB%20id%3D%22lingo-sub-303185%22%20slang%3D%22en-US%22%3EAccess%20denied%20for%20Set-AzureADApplicationProxyApplicationCustomDomainCertificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-303185%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20automating%20binding%20a%20custom%20certificate%20to%20an%20application%20published%20with%20the%20Azure%20AD%20Application%20Proxy.%20I%20can%20upload%20and%20bind%20the%20certificate%20in%20the%20Azure%20Portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELogged%20on%20with%20Global%20Administrator%20role%20in%20PowerShell%2C%20I%20use%20the%20AzureAD%20module%20with%26nbsp%3B%3CSTRONG%3E%3CFONT%3ESet-AzureADApplicationProxyApplicationCustomDomainCertificate%3C%2FFONT%3E%3C%2FSTRONG%3E.%20After%20entering%20the%20password%20for%20the%20Pfx%2C%20the%20response%20is%20%22Access%20Denied%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20why%20this%20is%20not%20allowed%20via%20script%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-303185%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Custom%20Domain%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApp%20Proxy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-307347%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20denied%20for%20Set-AzureADApplicationProxyApplicationCustomDomainCertificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-307347%22%20slang%3D%22en-US%22%3EThanks%20Raymond!%20I%20will%20make%20sure%20the%20doc%20change%20is%20also%20made.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304298%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20denied%20for%20Set-AzureADApplicationProxyApplicationCustomDomainCertificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304298%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20I%20did%20use%20that%20article%20and%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fazuread%2Fset-azureadapplicationproxyapplicationcustomdomaincertificate%3Fview%3Dazureadps-2.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%20on%20the%20cmdlet%3C%2FA%3Eas%20the%20source%20to%20use%20the%20cmdlet.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20article%20doesn't%20mention%20that%20unlike%20when%20using%20the%20Azure%20Portal%2C%20%3CSTRONG%3Ethis%20cmdlet%20requires%20you%20to%20run%20in%20an%20elevated%20PowerShell%20session%20with%20local%20administrator%20rights%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20not%20run%20elevated%2C%20the%20response%20is%20%22Access%20Denied%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20clueless%20what%20the%20local%20administrator%20rights%20are%20for%20when%20uploading%20a%20certificate%20to%20Azure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20proposed%20a%20change%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fazuread%2Fset-azureadapplicationproxyapplicationcustomdomaincertificate%3Fview%3Dazureadps-2.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethe%20documentation%20at%20docs.microsoft.com%3C%2FA%3Eto%20mention%20the%20requirement%20for%20an%20elevated%20PowerShell%20session.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304267%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20denied%20for%20Set-AzureADApplicationProxyApplicationCustomDomainCertificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304267%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20looked%20at%20our%20guidance%20on%20certificate%20to%20make%20sure%20you%20have%20the%20appropriate%20format%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-configure-custom-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-configure-custom-domain%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I am automating binding a custom certificate to an application published with the Azure AD Application Proxy. I can upload and bind the certificate in the Azure Portal.

 

Logged on with Global Administrator role in PowerShell, I use the AzureAD module with Set-AzureADApplicationProxyApplicationCustomDomainCertificate. After entering the password for the Pfx, the response is "Access Denied".

 

Any idea why this is not allowed via script?

 

 

3 Replies
Highlighted

Have you looked at our guidance on certificate to make sure you have the appropriate format: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-cust....

 

Highlighted
Best Response confirmed by Raymond Comvalius (MVP)
Solution

Yes, I did use that article and the documentation on the cmdlet as the source to use the cmdlet. 

 

The article doesn't mention that unlike when using the Azure Portal, this cmdlet requires you to run in an elevated PowerShell session with local administrator rights.

 

When not run elevated, the response is "Access Denied".

 

I am clueless what the local administrator rights are for when uploading a certificate to Azure.

 

I proposed a change in the documentation at docs.microsoft.com to mention the requirement for an elevated PowerShell session.

Highlighted
Thanks Raymond! I will make sure the doc change is also made.