Azure Application Proxy – Replace Certificate

Every year again… comes a new SSL-certificate and want to be replaced. Since doing so within the Azure Portal is quite a tedious task, here’s a script that gets the work done quite easily and fast. Simply adjust the constants in the script’s header, and you’re all set.

# The PowerShell Console needs to be run with local Administrator rights
# Nobody understands why... but well, that's the way it is.

# Define constants
	# The thumbprint of the old cert, which is to be replaced
	$OldThumbprint = "123456789ABCDEF"
	# The thumbprint of the new cert, which should be installed and activated
	$NewThumbprint = "FEDCBA987654321"
	# The path to the PFX-file
	$PfxFilePath = "C:_Installwildcard.powershell24.de_2019-2020.pfx"

# Create empty arrays
$OldCertArray = @()
$NewCertArray = @()
$OtherCertArray = @()

# Import and connect
Import-Module AzureAD

# Get all registered apps an process each
# Doing it this way, because I want the displayname for convinience, which isn't shown when using Get-AzureADApplicationProxyApplication
$AllApps = Get-AzureADApplication -All $True
Foreach($App in $AllApps){
	# Trying to fetch the app within Azure App Proxy
		$AppDetails = Get-AzureADApplicationProxyApplication -ObjectId $App.ObjectId
		Write-Host ""
		Write-Host "Processing $($App.DisplayName)..."
		$HelperLine = "" | Select DisplayName,ObjectId,VerifiedCustomDomainCertificatesMetadata
		$HelperLine.DisplayName = $App.DisplayName
		$HelperLine.ObjectId = $App.ObjectId
		$HelperLine.VerifiedCustomDomainCertificatesMetadata = $AppDetails.VerifiedCustomDomainCertificatesMetadata		
		# This app uses the cert with the old thumbprint
		if($AppDetails.VerifiedCustomDomainCertificatesMetadata.Thumbprint -eq $OldThumbprint){
			Write-Host "	$($App.DisplayName) still has the old certificate" -ForegroundColor Red
			$OldCertArray += $HelperLine
		# This app already uses the new certificate
		elseif($AppDetails.VerifiedCustomDomainCertificatesMetadata.Thumbprint -eq $NewThumbprint){
			Write-Host "	$($App.DisplayName) already has the new certificate" -ForegroundColor Green
			$NewCertArray += $HelperLine
		# This app uses a different certificate. Maybe have a closer look on these late on
			Write-Host "	$($App.DisplayName) has a different certificate" -ForegroundColor Yellow
			$OtherCertArray += $HelperLine
	# This seems to be an app which isn't published via Azure App Proxy
		Write-Host ""
		Write-Host "$($App.DisplayName) is not an Application Proxy app. Skipping..." -ForegroundColor Cyan

# If there are any certs with the old thumbprint...
	# ...check if we really want to replace them. 
	$Continue = Read-Host "Continue with replacing the certificate for following apps? [y/n]"
	# Yes?
	if($Continue -eq "y"){
		# Setting the new cert for all apps with the old cert (but not with a different certificate)
		# First we need the PFX-PW
		$Password = Read-Host "Enter PFX-File Password" -AsSecureString
		Foreach ($App in $OldCertArray){
				Write-Host "Setting new certificate for $($App.DisplayName)" -ForegroundColor Red
				Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $App.ObjectId -PfxFilePath $PfxFilePath -Password $Password
				Write-Host "Couldn't set new certificate for $($App.DisplayName)" -ForegroundColor Red

		# A final info which apps don't use the old cert or don't use one at all
		Write-Host "Different certificate or no certificate required for:"

		# If you want, here is an overview of all apps that already had the new cert, before it was changed by this script