Azure AD App Proxy: Bulk Update TLS Certificate for a Custom Domain

By | May 17, 2021
0 Comment

Overview

The reason for this quick post is because a community contributor on Discord recently asked if it was possible to update the TLS certificate for all their Azure AD App Proxy applications on a custom domain. In this scenario, the applications external URLs were on a custom domain and not the msproxy.net domain. A wildcard certificate had been used for all the applications on the custom domain and it was required to bulk update the applications with the new certificate.

How to Run the Script

You must have the following before running this script

  • The custom domain the applications are using (Example dectur.com)
  • The new TLS certificate in PFX format with the file password
  • The TLS certificate file path (This includes the file name – E.g. C:\temp\Wildcard.pfx
  • The AzureAd or AzureAdPreview PowerShell module installed

The Script

The most recent version of the script can be found on my GitHub (decturau). 

  
<#
.SYNOPSIS
  This script will update the TLS certificate for all Azure AD App Proxy Apps on a particular custom domain. 
.DESCRIPTION
  You should have Application Administrator permissions to run this. A use-case is for updating a new Wildcard certificate across multiple applications.  
   
.NOTES
  Version:        1.0
  Author:         Declan Turley
  Purpose:        Update multiple Apps with new TLS certificate.   

.PARAMETER CustomDomain
The domain linked to the external URL of the application where you wish to update the certificate

.PARAMETER PFXLocation
The location of the new certificate PFX. Includes the file name.

.EXAMPLE
  Update-CustomDomainProxyAppsTLSCertificate.ps1 -CustomDomain domain.com -PFXLocation 'C:\temp\cert.pfx'
#>

Param(
    [Parameter(Mandatory = $true)]
    [string] $CustomDomain,
    [Parameter(Mandatory=$True)]
    [String] $PFXLocation
)

#Enter the PFX password 
Write-Host 'Enter the password for PFX file' -ForegroundColor Yellow
$PFXPassword = Read-Host -AsSecureString

#Connect to AzureAD
Write-Host 'Connecting to AzureAD' -ForegroundColor Yellow
Connect-AzureAD

#Get all Azure AD App Proxy Proxy Applications checking the ObjectID of all apps. 
Write-Host 'Obtaining Azure AD App Proxy Applications for your Domain' -ForegroundColor Yellow
$ProxyApps = foreach ($a in (Get-AzureADApplication -All:$true))
 {
     try
     {
         $p = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId
         [pscustomobject]@{ObjectID=$a.ObjectId; DisplayName=$a.DisplayName; ExternalUrl=$p.ExternalUrl; InternalUrl=$p.InternalUrl}
     }
     catch
     {
         continue
     }
}

#Filter the proxy applications with the ExternalURL of your domain 
$AppsOnCustomDomain = $ProxyApps | where {$_.ExternalUrl -like "*$CustomDomain*"}

Write-Host 'The following applications will have their certificate changed' -ForegroundColor Yellow
$AppsOnCustomDomain | Out-Host

Write-Host 'Are you sure you wish to change certificate on the above applications? (Y/N)' -ForegroundColor Yellow
$Answer = Read-Host

If ($Answer -eq 'Y'){
  #Loop through the custom domain apps and upload new TLS certificate 
  foreach ($CustomDomainApp in $AppsOnCustomDomain) {
      Write-Host "Setting Certificate on Application" $CustomDomainApp.DisplayName -ForegroundColor Green
      Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $CustomDomainApp.ObjectID -PfxFilePath "$PFXLocation" -Password $PFXPassword
    }

}

else {
  Write-Host 'Apps not approved for change' -ForegroundColor Red
}

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *