Git Product home page Git Product logo

azure-activedirectory-powershell-tokenkey's Introduction

Azure Active Directory Token Signing Key Scripts

This repository contains PowerShell scripts that developers and administrators can use to:

  • Test their Azure Active Directory integrated applications for automatic token signing key rollover.
  • Establish a manual signing key rollover process for their Azure Active Directory integrated applications that do not support automatic token signing key rollover.

For more information about signing key rollover, check out the Signing key rollover in Azure Active Directory documentation.

Impact

These scripts set the preferred token signing key on a specific application. As a result, any user that signs in to the application after the script is run will receive tokens signed with the preferred key.

Pre-Requisites

These scripts can only be run by an Azure Active Directory Global Administrator.

If the application does not support automatic rollover, changing the token signing key will result in downtime. Therefore, it is strongly recommended that these scripts are only run either

  • on a test application for which downtime is acceptable; or,
  • on a production application during downtime window.

Steps To Setup The Scripts

  1. Download and extract the scripts.

  2. Start Windows PowerShell.

  3. Navigate to the folder where the scripts were extracted.

  4. Run the following to install the AADGraph module (and ADAL):

    .\install-aadGraphModule.ps1

Steps To Test For Automatic Rollover

  1. Get the list of available signing keys:

    .\Get-AADSigningKey.ps1 | Format-Table

  2. Pick any of the keys and configure Azure Active Directory to use that key with your application:

    .\Set-AADSigningKey.ps1 -ApplicationId <ApplicationId> -KeyThumbprint <Thumbprint>

  3. Test the web application. The change is instantaneous, but make sure you use a new browser session (e.g. IE's "InPrivate", Chrome "Incognito", or Firefox's "Private") to ensure you are issued a new token.

  4. Repeat steps 2 through 3 with all the keys returned from step 1.

  5. If the web application signs you in properly, it supports automatic rollover. If it does not:

  1. Execute the following script to revert to normal behavior:

    .\Set-AADSigningKey.ps1 -ApplicationId <ApplicationId> -Default

Steps To Perform Manual Rollover

  1. Get the latest signing key:

    .\Get-AADSigningKey.ps1 -Latest

  2. Compare this key against the key your application is currently hardcoded or configured to use.

  3. If the latest key is different from the key your application is using, download the latest signing key:

    ..\Get-AADSigningKey.ps1 -Latest -DownloadPath <DownloadPath>

  4. Update your application's code or configuration to the new key.

  5. Configure Azure Active Directory to use that latest key with your application:

    .\Set-AADSigningKey.ps1 -ApplicationId <ApplicationId> -Latest

  6. Test the web application. The change is instantaneous, but make sure you use a new browser session (e.g. IE's "InPrivate", Chrome "Incognito", or Firefox's "Private") to ensure you are issued a new token.

  7. If you experience any issues, revert to the previous key you were using and contact Azure support:

    .\Set-AADSigningKey.ps1 -ApplicationId <ApplicationId> -KeyThumbprint <Thumbprint>

  8. Once you update your application as per our guidance in Signing key rollover in Azure Active Directory documentation to support for automatic rollover, revert to normal behavior:

    .\Set-AADSigningKey.ps1 -ApplicationId <ApplicationId> -Default

Security Reporting

If you find a security issue with our libraries or services please report it to [email protected] with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.

We Value and Adhere to the Microsoft Open Source Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

azure-activedirectory-powershell-tokenkey's People

Contributors

gsacavdm avatar psignoret avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.