Configure OAuth authentication with AzureAD PowerShell Module

Skype for Business Server 3 Minutes

Looks like Lync/SfB PowerShell scripts – UC Lobby wasn’t the last post for Skype for Business

While looking into a request to update the OAuth certificate I found some notes for an unpublished blog post. Here is that blog post with some additional information how to remove expired OAuth certificates.

We already have detailed steps to extract and import the OAuth certificate for Exchange and Skype for Business in the following articles:
Configure OAuth authentication between Exchange and Exchange Online | Microsoft Learn

Integration between Skype for Business Online and Exchange server – Skype for Business Server 2015 | Microsoft Learn

In this post we will describe an alternative method for both scenarios (Exchange/Skype for Business). We will use the AzureAD PowerShell module to import and also remove expired OAuth certificates.

To install the AzureAD PowerShell module we can simply run this in a PowerShell window:

Install-Module AzureAD

In order to import the OAuth certificate, we need the Service Principal Object ID. This Object ID will be different from Exchange and Skype for Business.
The ObjectID is returned by Get-AzureADServicePrincipal PowerShell cmdlet:

#First we need to connect to AzureAD
Connect-AzureAD

#Exchange Online Service Principal
Get-AzureADServicePrincipal -SearchString "Office 365 Exchange Online"

#Skype for Business Online Service Principal
Get-AzureADServicePrincipal -SearchString "Skype for Business Online"

Reading and Importing OAuth certificate

In the following examples we assume that we previously export the OAuth certificate from Exchange Server (ExOAuth.cer) and Skype for Business Server (SfBOAuth.cer) and copy to C:\Temp, please note that we can use any PC that has the AzureAD PowerShell module installed.

#Connect to AzureAD
Connect-AzureAD

#Read the Exchange Server OAuth certificate from file store in C:\Temp
$CertPath = "C:\Temp\ExOAuth.cer" 
$OAuthCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate 
$OAuthCert.Import($CertPath)  
$binaryValue = $OAuthCert.GetRawCertData()  
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)  

#Import the Exchange Server OAuth Certificate to Office 365
$ExoObjID = (Get-AzureADServicePrincipal -SearchString "Office 365 Exchange Online").ObjectId

New-AzureADServicePrincipalKeyCredential -ObjectId $ExoObjID -Type Asymmetric -Usage Verify -Value $credentialsValue -EndDate $OAuthCert.GetExpirationDateString()

For Skype for Business:

#Connect to AzureAD
Connect-AzureAD

#Read the SfB Server OAuth certificate from file store in C:\Temp
$CertPath = "C:\Temp\SfBOAuth.cer" 
$OAuthCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate 
$OAuthCert.Import($CertPath)  
$binaryValue = $OAuthCert.GetRawCertData()  
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)  

#Import the SfBServer OAuth Certificate to Office 365
$SfBObjID = (Get-AzureADServicePrincipal -SearchString "Skype for Business Online").ObjectId

New-AzureADServicePrincipalKeyCredential -ObjectId $SfBObjID -Type Asymmetric -Usage Verify -Value $credentialsValue -EndDate $OAuthCert.GetExpirationDateString()

After importing the certificate, we should verify if the certificate was imported, for Exchange:

#Verify imported Exchange Oauth certificates
$ExoObjID = (Get-AzureADServicePrincipal -SearchString "Office 365 Exchange Online").ObjectId

Get-AzureADServicePrincipalKeyCredential -ObjectId $ExoObjID
#Verify imported Skype for Business Oauth certificates
$SfBObjID = (Get-AzureADServicePrincipal -SearchString "Skype for Business Online").ObjectId

Get-AzureADServicePrincipalKeyCredential -ObjectId $SfBObjID

Remove expired OAuth certificates

In case we identify some old entries, we can remove them, for that we need to know the KeyId. The KeyId is returned in the Get-AzureADServicePrincipalKeyCredential cmdlet, here is an example:

#Remove Exchange OAuth certificate
$ExoObjID = (Get-AzureADServicePrincipal -SearchString "Office 365 Exchange Online").ObjectId

Remove-AzureADServicePrincipalKeyCredential -ObjectId $ExoObjID -KeyId <KEY ID>
#Remove Skype for Business OAuth certificate
$SfBObjID = (Get-AzureADServicePrincipal -SearchString "Skype for Business Online").ObjectId
Remove-AzureADServicePrincipalKeyCredential -ObjectId $SfBObjID -KeyId <KEY ID>

We can also remove all the expired OAuth certificates.
First, we need to identify the expired certificates, for this we use the following cmdlet:

#List Exchange OAuth expired certificates
$ExoObjID = (Get-AzureADServicePrincipal -SearchString "Office 365 Exchange Online").ObjectId

Get-AzureADServicePrincipalKeyCredential -ObjectId $ExoObjID | Where-Object -Property EndDate -LT -Value (Get-Date) | Format-Table KeyId, EndDate
#List Skype for Business OAuth expired certificates
$SfBObjID = (Get-AzureADServicePrincipal -SearchString "Skype for Business Online").ObjectId

Get-AzureADServicePrincipalKeyCredential -ObjectId $SfBObjID | Where-Object -Property EndDate -LT -Value (Get-Date) | Format-Table KeyId, EndDate

We can use Remove-AzureADServicePrincipalKeyCredential to remove all the expired certificates, I recommend double checking the EndDate before continue:

#Remove all Exchange OAuth expired certificates
$ExoObjID = (Get-AzureADServicePrincipal -SearchString "Office 365 Exchange Online").ObjectId

Get-AzureADServicePrincipalKeyCredential -ObjectId $ExoObjID | Where-Object -Property EndDate -LT -Value (Get-Date) | Remove-AzureADServicePrincipalKeyCredential -ObjectId $ExoObjID
#Remove all Skype for Business OAuth expired certificates
$SfBObjID = (Get-AzureADServicePrincipal -SearchString "Skype for Business Online").ObjectId

Get-AzureADServicePrincipalKeyCredential -ObjectId $SfBObjID | Where-Object -Property EndDate -LT -Value (Get-Date) | Remove-AzureADServicePrincipalKeyCredential -ObjectId $SfBObjID

Published by David Paulino

Published