This sample provides the ability to either call the addKey API using graph SDK or directly calling the graph API. More info here

From your shell or command line:

git clone https://github.com/blackadi/GraphAPI_addKey_API_SP.git

1. Navigate to the Microsoft identity platform for developers App registrations page.

2. Select New registration.

   • In the Name section, enter a meaningful application name that will be displayed to users of the app.
   • In the Supported account types section, select Accounts in this organizational directory only ({tenant name}).
   • Click Register button at the bottom to create the application.

3. On the application Overview page, find the Application (client) ID and Directory (tenant) ID values and record it for later. You'll need it to configure the configuration file(s) later in your code.

4. From the Certificates & secrets page, in the Client secrets section, choose New client secret:

   • Type a key description (for instance app secret),
   • Select a key duration, for example 6 months.
   • When you press the Add button, the key value will be displayed, copy, and save the value in a safe location.
   • You'll need this key later to configure the project in Visual Studio. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.

5. In the Application menu blade, click on the API permissions in the left to open the page where we add access to the Apis that your application needs.

   • Click the Add a permission button and then,
   • Ensure that the Microsoft APIs tab is selected
   • In the Commonly used Microsoft APIs section, click on Microsoft Graph
   • In the Application permissions section, ensure that the right permissions are checked: Application.ReadWrite.OwnedBy
   • Select the Add permissions button at the bottom.

6. At this stage, the permissions are assigned correctly but since the client app does not allow users to interact, the user's themselves cannot consent to these permissions. To get around this problem, we'd let the tenant administrator consent on behalf of all users in the tenant. Click the Grant admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be the tenant admin to be able to carry out this operation.

• You can follow the instruction here, upload a valid certificate as it's needed when calling addKey API.

Applications that don’t have any existing valid certificates (no certificates have been added yet, or all certificates have expired), won’t be able to use this service action. You can use the Update application operation to perform an update instead.

Finally, go back to the Azure portal. In the Application menu blade, click on the Certificates & secrets, in the Certificates section, upload the certificate you created.

Open the project in your IDE (like Visual Studio) to configure the code.

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

1. Open the appsettings.json file
2. Find the app key ClientId and replace the existing value with the application ID (clientId) value you recorded earlier from the Azure portal.
3. Find the app key TenantId and replace the existing value with the directory (tenant) ID value you recorded earlier from the Azure portal.
4. Find the app key ObjectId and replace the existing value with your app registration (Object ID) value which can be found from the Azure portal.
5. Find the app key Aud_ClientAssertion and replace {YOUR_TENANT_ID_HERE} with the directory (tenant) ID value you recorded earlier from the Azure portal.
6. Find the app key CertificateDiskPath and replace the existing value with your exising self-signed certificate, for more info see this.
7. Find the app key CertificatePassword and replace the existing value with your exising self-signed certificate password, for more info see this.
8. Find the app key NewCertificateDiskPath and replace the existing value with your new self-signed certificate, for more info see this.
9. Find the app key NewCertificatePassword and replace the existing value with your new self-signed certificate password, for more info see this.

If you want to use a certificate without a private key just find the app key EnableCertKey and set it to false.

Clean the solution, rebuild the solution, and run it.

    dotnet run

• The code will generate client_assertion first, then will get access_token using client credentials flow

• a proof of possession token will be generated and this JWT token must be signed using the private key of the application existing valid certificates.

• Extract the key value of the new certificate which will be uploaded via addKey API request body.

• Finally, call the API.

⚠️ The certificates used in this sample are for testing purposes only.