Overview
The reason for this quick post is because a community contributor on Discord recently asked if it was possible to update the TLS certificate for all their Azure AD App Proxy applications on a custom domain. In this scenario, the applications external URLs were on a custom domain and not the msproxy.net domain. A wildcard certificate had been used for all the applications on the custom domain and it was required to bulk update the applications with the new certificate.
How to Run the Script
You must have the following before running this script
- The custom domain the applications are using (Example dectur.com)
- The new TLS certificate in PFX format with the file password
- The TLS certificate file path (This includes the file name – E.g. C:\temp\Wildcard.pfx
- The AzureAd or AzureAdPreview PowerShell module installed
The Script
The most recent version of the script can be found on my GitHub (decturau).
<#
.SYNOPSIS
This script will update the TLS certificate for all Azure AD App Proxy Apps on a particular custom domain.
.DESCRIPTION
You should have Application Administrator permissions to run this. A use-case is for updating a new Wildcard certificate across multiple applications.
.NOTES
Version: 1.0
Author: Declan Turley
Purpose: Update multiple Apps with new TLS certificate.
.PARAMETER CustomDomain
The domain linked to the external URL of the application where you wish to update the certificate
.PARAMETER PFXLocation
The location of the new certificate PFX. Includes the file name.
.EXAMPLE
Update-CustomDomainProxyAppsTLSCertificate.ps1 -CustomDomain domain.com -PFXLocation 'C:\temp\cert.pfx'
#>
Param(
[Parameter(Mandatory = $true)]
[string] $CustomDomain,
[Parameter(Mandatory=$True)]
[String] $PFXLocation
)
#Enter the PFX password
Write-Host 'Enter the password for PFX file' -ForegroundColor Yellow
$PFXPassword = Read-Host -AsSecureString
#Connect to AzureAD
Write-Host 'Connecting to AzureAD' -ForegroundColor Yellow
Connect-AzureAD
#Get all Azure AD App Proxy Proxy Applications checking the ObjectID of all apps.
Write-Host 'Obtaining Azure AD App Proxy Applications for your Domain' -ForegroundColor Yellow
$ProxyApps = foreach ($a in (Get-AzureADApplication -All:$true))
{
try
{
$p = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId
[pscustomobject]@{ObjectID=$a.ObjectId; DisplayName=$a.DisplayName; ExternalUrl=$p.ExternalUrl; InternalUrl=$p.InternalUrl}
}
catch
{
continue
}
}
#Filter the proxy applications with the ExternalURL of your domain
$AppsOnCustomDomain = $ProxyApps | where {$_.ExternalUrl -like "*$CustomDomain*"}
Write-Host 'The following applications will have their certificate changed' -ForegroundColor Yellow
$AppsOnCustomDomain | Out-Host
Write-Host 'Are you sure you wish to change certificate on the above applications? (Y/N)' -ForegroundColor Yellow
$Answer = Read-Host
If ($Answer -eq 'Y'){
#Loop through the custom domain apps and upload new TLS certificate
foreach ($CustomDomainApp in $AppsOnCustomDomain) {
Write-Host "Setting Certificate on Application" $CustomDomainApp.DisplayName -ForegroundColor Green
Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $CustomDomainApp.ObjectID -PfxFilePath "$PFXLocation" -Password $PFXPassword
}
}
else {
Write-Host 'Apps not approved for change' -ForegroundColor Red
}