Private/Add-EntraMfaCredentials.ps1
function Add-EntraMfaCredentials { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $TenantId, [Parameter(Mandatory = $true)] [ValidateSet("Password","Certificate")] [string] $Type, [Parameter(Mandatory = $false)] [System.Security.Cryptography.X509Certificates.X509Certificate]$Certificate ) $moduleName = "Microsoft.Graph" $g = Get-Module -ListAvailable -Name $moduleName if ($null -eq $g) { throw "Module '$moduleName' is not available." } try { $appId = $Providers.EntraId.MfaAppId Connect-MgGraph -NoWelcome -TenantId $TenantId -Scopes 'Application.ReadWrite.All' $mfaSvcPrincipal = Get-MgServicePrincipal -Filter "appid eq '$appId'" if ($Type -eq "Password") { $passwordCredential = @{ DisplayName = $MyInvocation.MyCommand.ModuleName EndDateTime = (Get-Date).ToUniversalTime().AddDays($Providers.EntraId.PasswordExpiration).ToString("yyyy-MM-ddTHH:mm:ss") } $secret = Add-MgServicePrincipalPassword -ServicePrincipalId $mfaSvcPrincipal.Id -PasswordCredential $passwordCredential Disconnect-MgGraph return $secret.SecretText } elseif ($Type -eq "Certificate" -and $Certificate) { $keyCredentials = $mfaSvcPrincipal.KeyCredentials $newKey = @(@{ CustomKeyIdentifier = $null Usage = "Verify" Type = "AsymmetricX509Cert" Key = $Certificate.RawData KeyId = (New-Guid).Guid DisplayName = $Certificate.Subject EndDateTime = (Get-Date).ToUniversalTime().AddDays($Providers.EntraId.CertificateExpiration).ToString("yyyy-MM-ddTHH:mm:ss") AdditionalProperties = $null }) $keyCredentials += $newKey Update-MgServicePrincipal -ServicePrincipalId $mfaSvcPrincipal.Id -KeyCredentials $keyCredentials -ErrorAction Stop Disconnect-MgGraph return $null } else { throw "Unexpected error" } } catch { throw "Error adding ServicePrincipal credentials - $_" } } |