New-EntraApplicationKeyCredential

Module:

Microsoft.Entra.Applications Module v1.3

Creates a key credential for an application.

New-EntraApplicationKeyCredential

 -ApplicationId <String>
 [-CustomKeyIdentifier <String>]
 [-Type <KeyType>]
 [-Usage <KeyUsage>]
 [-Value <String>]
 [-EndDate <DateTime>]
 [-StartDate <DateTime>]
 [<CommonParameters>]

The New-EntraApplicationKeyCredential cmdlet creates a key credential for an application.

An application can use this command along with Remove-EntraApplicationKeyCredential to automate the rolling of its expiring keys.

As part of the request validation, proof of possession of an existing key is verified before the action can be performed.

Connect-Entra -Scopes 'Application.ReadWrite.All','Application.ReadWrite.OwnedBy'
$application = Get-EntraApplication -Filter "DisplayName eq 'Contoso Helpdesk Application'"
$params = @{
 ApplicationId = $application.Id
 CustomKeyIdentifier = 'EntraPowerShellKey'
 StartDate = '2024-03-21T14:14:14Z'
 Type = 'Symmetric'
 Usage = 'Sign'
 Value = '<my-value>'
}
New-EntraApplicationKeyCredential @params

CustomKeyIdentifier : {84, 101, 115, 116}
EndDate : 2024-03-21T14:14:14Z
KeyId : aaaaaaaa-0b0b-1c1c-2d2d-333333333333
StartDate : 2025-03-21T14:14:14Z
Type : Symmetric
Usage : Sign
Value : {49, 50, 51}

This example shows how to create an application key credential.

• -ApplicationId Specifies a unique ID of an application
• -CustomKeyIdentifier Specifies a custom key ID.
• -StartDate Specifies the time when the key becomes valid as a DateTime object.
• -Type Specifies the type of the key.
• -Usage Specifies the key usage. for AsymmetricX509Cert the usage must be Verifyand for X509CertAndPassword the usage must be Sign.
• -Value Specifies the value for the key.

You can use the Get-EntraApplication cmdlet to retrieve the application Object ID.

Connect-Entra -Scopes 'Application.ReadWrite.All','Application.ReadWrite.OwnedBy'
$application = Get-EntraApplication -Filter "DisplayName eq 'Contoso Helpdesk Application'"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 #create a new certificate object
$cer.Import('C:\Users\ContosoUser\appcert.cer')
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)
$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)
$keyid = [System.Guid]::NewGuid().ToString()

$params = @{
 ApplicationId = $application.Id
 CustomKeyIdentifier = $base64Thumbprint
 Type = 'AsymmetricX509Cert'
 Usage = 'Verify'
 Value = $base64Value
 StartDate = $cer.GetEffectiveDateString()
 EndDate = $cer.GetExpirationDateString()
}
New-EntraApplicationKeyCredential @params

This example shows how to create an application key credential.

• -ApplicationId Specifies a unique ID of an application
• -CustomKeyIdentifier Specifies a custom key ID.
• -StartDate Specifies the time when the key becomes valid as a DateTime object.
• -EndDate Specifies the time when the key becomes invalid as a DateTime object.
• -Type Specifies the type of the key.
• -Usage Specifies the key usage. for AsymmetricX509Cert the usage must be Verifyand for X509CertAndPassword the usage must be Sign.
• -Value Specifies the value for the key.

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.