通过

获取使用相同证书发布的所有 Microsoft Entra 应用程序代理应用程序,并替换该证书

PowerShell 脚本示例批量替换使用相同证书发布的所有Microsoft Entra 应用程序代理应用程序的证书。

如果没有 Azure 订阅,可在开始前创建一个 Azure 试用版

注释

建议使用 Azure Az PowerShell 模块与 Azure 交互。 请参阅安装 Azure PowerShell 以开始使用。 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 Az

此示例需要 Microsoft Graph Beta PowerShell 模块 2.10 或更高版本。

示例脚本

# This sample script gets all Microsoft Entra application proxy applications published with the identical certificate.
#
# .\replace_with_the_script_name.ps1 -CurrentThumbprint <thumbprint of the current certificate> -PFXFilePath <full path with PFX filename>
#
# Version 1.0
#
# This script requires PowerShell 5.1 (x64) and one of the following modules:
#
# Microsoft.Graph ver 2.10 or newer
#
# Before you begin:
#    
#    Required Microsoft Entra role at least Application Administrator or Application Developer 
#    or appropriate custom permissions as documented https://learn.microsoft.com/azure/active-directory/roles/custom-enterprise-app-permissions
#
# 

param(
[parameter(Mandatory=$true)]
[string] $CurrentThumbprint = "null",
[parameter(Mandatory=$true)]
[string] $PFXFilePath = "null"
)

$certThumbprint = $CurrentThumbprint
$certPfxFilePath = $PFXFilePath

If (($certThumbprint -eq "null") -or ($certPfxFilePath -eq "null")) {

    Write-Host "Parameter is missing." -BackgroundColor "Black" -ForegroundColor "Green"
    Write-Host " "
    Write-Host ".\get-custom-domain-replace-cert.ps1 -CurrentThumbprint <thumbprint of the current certificate> -PFXFilePath <full path with PFX filename>" -BackgroundColor "Black" -ForegroundColor "Green"
    Write-Host " "

    Exit
}

If ((Test-Path -Path $certPfxFilePath) -eq $False) {

    Write-Host "The pfx file does not exist." -BackgroundColor "Black" -ForegroundColor "Red"
    Write-Host " "

    Exit
}

$securePassword = Read-Host -AsSecureString // please provide the password of the pfx file

Import-Module Microsoft.Graph.Beta.Applications

Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scope Directory.ReadWrite.All -NoWelcome

Write-Host "Reading service principals. This operation might take longer..." -BackgroundColor "Black" -ForegroundColor "Green"

$allApps = Get-MgBetaServicePrincipal -Top 100000 | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"}

$numberofAadapApps = 0

Write-Host ("")
Write-Host ("SSL certificate change for the Microsoft Entra application proxy apps below:")
Write-Host ("")

foreach ($item in $allApps) {

  $aadapApp, $aadapAppConf, $aadapAppConf1 = $null, $null, $null


  $aadapAppId =  Get-MgBetaApplication -Filter "AppId eq '$($item.AppID)'"

  $aadapAppConf = Get-MgBetaApplication -ApplicationId $aadapAppId.Id -ErrorAction SilentlyContinue -select OnPremisesPublishing | select OnPremisesPublishing -expand OnPremisesPublishing 
  $aadapAppConf1 = Get-MgBetaApplication -ApplicationId $aadapAppId.Id -ErrorAction SilentlyContinue -select OnPremisesPublishing | select OnPremisesPublishing -expand OnPremisesPublishing `
    | select verifiedCustomDomainCertificatesMetadata -expand verifiedCustomDomainCertificatesMetadata 

  if ($aadapAppConf -ne $null) {

    if ($aadapAppConf1.VerifiedCustomDomainCertificatesMetadata.Thumbprint -match $certThumbprint) {

      Write-Host $item.DisplayName"(AppId: " $item.AppId ", ObjId:" $item.Id")" -BackgroundColor "Black" -ForegroundColor "White"
      Write-Host
      Write-Host "External Url: " $aadapAppConf.ExternalUrl
      Write-Host "Internal Url: " $aadapAppConf.InternalUrl
      Write-Host "Pre-authentication: " $aadapAppConf.ExternalAuthenticationType
      Write-Host

      $params = @{
         onPremisesPublishing = @{
            verifiedCustomDomainKeyCredential = @{
                type="X509CertAndPassword";
                value = [convert]::ToBase64String((Get-Content $certPfxFilePath -Encoding byte));
            };
            verifiedCustomDomainPasswordCredential = @{
                value = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword)) };
         }
      }

      Update-MgBetaApplication -ApplicationId $aadapAppId.Id -BodyParameter $params
  
      $numberofAadapApps = $numberofAadapApps + 1
    }
  }
}

Write-Host
Write-Host "Number of the updated Microsoft Entra application proxy applications: " $numberofAadapApps -BackgroundColor "Black" -ForegroundColor "White"
Write-Host ("")

Write-Host
Write-Host "Finished." -BackgroundColor "Black" -ForegroundColor "Green"
Write-Host "To disconnect from Microsoft Graph, please use the Disconnect-MgGraph cmdlet."

脚本说明

Command 注释
Connect-MgGraph 连接到 Microsoft Graph
Get-MgBetaServicePrincipal 获取服务主体
Get-MgBetaApplication 获取企业应用程序
Update-MgBetaApplication 更新应用程序

后续步骤

  • Last updated on