Table of Contents

Register-PnPEntraIDApp

SYNOPSIS

Registers an Entra ID App and optionally creates a new self-signed certificate to use with the application registration.

SYNTAX

Generate Certificate

Register-PnPEntraIDApp -ApplicationName <String>
                                       -Tenant <String>
                                       [-DeviceLogin]
                                       [-CommonName <String>]
                                       [-OutPath <String>]
                                       [-Store <StoreLocation>]
                                       [-GraphApplicationPermissions <Permission[]>]
                                       [-GraphDelegatePermissions <Permission[]>]
                                       [-SharePointApplicationPermissions <Permission[]>]
                                       [-SharePointDelegatePermissions <Permission[]>]
                                       [-Country <String>]
                                       [-State <String>]
                                       [-Locality <String>]
                                       [-Organization <String>]
                                       [-OrganizationUnit <String>]
                                       [-ValidYears <Int>]
                                       [-CertificatePassword <SecureString>]
                                       [-LogoFilePath <string>]
                                       [-MicrosoftGraphEndPoint <string>]
                                       [-EntraIDLoginEndPoint <string>]
                                       [-SignInAudience <EntraIDSignInAudience>]

Existing Certificate

Register-PnPEntraIDApp  -CertificatePath <String>
                        -ApplicationName <String>
                        -Tenant <String>
                        [-DeviceLogin]
                        [-GraphApplicationPermissions <Permission[]>]
                        [-GraphDelegatePermissions <Permission[]>]
                        [-SharePointApplicationPermissions <Permission[]>]
                        [-SharePointDelegatePermissions <Permission[]>]
                        [-CertificatePassword <SecureString>]
                        [-LogoFilePath <string>]

DESCRIPTION

Registers an Entra ID App and optionally creates a new self-signed certificate to use with the application registration.

Note: if you want to use the newly created app to authenticate with username/password. Use Register-PnPEntraIDAppForInteractiveLogin to create an app that allows users to login with.

EXAMPLES

EXAMPLE 1

Register-PnPEntraIDApp -ApplicationName TestApp -Tenant yourtenant.onmicrosoft.com -Store CurrentUser

Creates a new Entra ID Application registration, creates a new self signed certificate, and adds it to the local certificate store. It will upload the certificate to the azure app registration and it will request the following permissions: Sites.FullControl.All, Group.ReadWrite.All, User.Read.All. A browser window will be shown allowing you to authenticate.

EXAMPLE 2

Register-PnPEntraIDApp -ApplicationName TestApp -Tenant yourtenant.onmicrosoft.com -CertificatePath c:\certificate.pfx -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force)

Creates a new Entra ID Application registration which will use the existing private key certificate at the provided path to allow access. It will upload the provided private key certificate to the azure app registration and it will request the following permissions: Sites.FullControl.All, Group.ReadWrite.All, User.Read.All. A browser window will be shown allowing you to authenticate.

EXAMPLE 3

Register-PnPEntraIDApp -ApplicationName TestApp -Tenant yourtenant.onmicrosoft.com -Store CurrentUser -GraphApplicationPermissions "User.Read.All" -SharePointApplicationPermissions "Sites.Read.All"

Creates a new Entra ID Application registration, creates a new self signed certificate, and adds it to the local certificate store. It will upload the certificate to the azure app registration and it will request the following permissions: Sites.Read.All, User.Read.All. A browser window will be shown allowing you to authenticate.

EXAMPLE 4

Register-PnPEntraIDApp -ApplicationName TestApp -Tenant yourtenant.onmicrosoft.com -OutPath c:\ -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force)

Creates a new Entra ID Application registration, creates a new self signed certificate, and stores the public and private key certificates in c:. The private key certificate will be locked with the password "password". It will upload the certificate to the azure app registration and it will request the following permissions: Sites.FullControl.All, Group.ReadWrite.All, User.Read.All. A browser window will be shown allowing you to authenticate.

EXAMPLE 5

Register-PnPEntraIDApp -DeviceLogin -ApplicationName TestApp -Tenant yourtenant.onmicrosoft.com -CertificatePath c:\certificate.pfx -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force)

Creates a new Entra ID Application registration and asks you to authenticate using device login methods, creates a new self signed certificate, and adds it to the local certificate store. It will upload the certificate to the azure app registration and it will request the following permissions: Sites.FullControl.All, Group.ReadWrite.All, User.Read.All

EXAMPLE 6

Register-PnPEntraIDApp -ApplicationName TestApp -Tenant yourtenant.onmicrosoft.com -CertificatePath c:\certificate.pfx -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force)

Creates a new Entra ID Application registration and asks you to authenticate using username and password, creates a new self signed certificate, and adds it to the local certificate store. It will upload the certificate to the azure app registration and it will request the following permissions: Sites.FullControl.All, Group.ReadWrite.All, User.Read.All

EXAMPLE 7

Register-PnPEntraIDApp -ApplicationName TestApp -Tenant yourtenant.onmicrosoft.com -CertificatePath c:\certificate.pfx -CertificatePassword (ConvertTo-SecureString -String "password" -AsPlainText -Force) -LogoFilePath c:\logo.png

Creates a new Entra ID Application registration which will use the existing private key certificate at the provided path to allow access. It will upload the provided private key certificate to the azure app registration and it will request the following permissions: Sites.FullControl.All, Group.ReadWrite.All, User.Read.All. It will also set the logo.png file as the logo for the Entra ID app.

EXAMPLE 8

Register-PnPEntraIDApp -ApplicationName "ACS App" -Tenant yourtenant.onmicrosoft.com -OutPath c:\temp -GraphApplicationPermissions "User.Read.All" -GraphDelegatePermissions "Sites.Read.All" -SharePointApplicationPermissions "Sites.Read.All" -SharePointDelegatePermissions "AllSites.Read"

Creates a new Entra ID Application registration, creates a new self signed certificate, writes it to the c:\temp folder. It will upload the certificate to the azure app registration and it will request the shown permissions. A browser window will be shown allowing you to authenticate.

PARAMETERS

-DeviceLogin

If specified, a device login flow, supporting Multi-Factor Authentication will be used to authenticate towards the Microsoft Graph.

Type: SwitchParameter
Parameter Sets: (All)

Required: False
Position: Named
Accept pipeline input: False

-ApplicationName

The name of the Entra ID Application to create.

Type: String
Parameter Sets: (All)

Required: True
Position: Named
Accept pipeline input: False

-CertificatePassword

Optional certificate password.

Type: SecureString
Parameter Sets: (All)

Required: False
Position: 8
Accept pipeline input: False

-CertificatePath

File path to use an existing certificate.

Type: String
Parameter Sets: Existing Certificate

Required: True
Position: Named
Accept pipeline input: False

-CommonName

Common Name (e.g. server FQDN or YOUR name). It defaults to 'pnp.contoso.com'

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: 0
Accept pipeline input: False

-Country

Country Name (2 letter code).

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: 1
Accept pipeline input: False

-Locality

Locality Name (eg. city).

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: 3
Accept pipeline input: False

-Organization

Organization Name (eg. company).

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: 4
Accept pipeline input: False

-OrganizationUnit

Organizational Unit Name (eg. section).

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: 5
Accept pipeline input: False

-OutPath

Folder to create certificate files in (.CER and .PFX).

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: Named
Accept pipeline input: False

-GraphApplicationPermissions

Specify which Microsoft Graph Application permissions to request.

Type: Permission[]
Parameter Sets: Generate Certificate

Required: False
Position: 0
Accept pipeline input: False

-GraphDelegatePermissions

Specify which Microsoft Graph Delegate permissions to request.

Type: Permission[]
Parameter Sets: Generate Certificate

Required: False
Position: 0
Accept pipeline input: False

-SharePointApplicationPermissions

Specify which Microsoft SharePoint Application permissions to request.

Type: Permission[]
Parameter Sets: Generate Certificate

Required: False
Position: 0
Accept pipeline input: False

-SharePointDelegatePermissions

Specify which Microsoft SharePoint Delegate permissions to request.

Type: Permission[]
Parameter Sets: Generate Certificate

Required: False
Position: 0
Accept pipeline input: False

-State

State or Province Name (full name).

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: 2
Accept pipeline input: False

-Store

Local Certificate Store to add the certificate to. Only works on Microsoft Windows.

Type: StoreLocation
Parameter Sets: Generate Certificate

Required: False
Position: Named
Accept pipeline input: False

-Tenant

The identifier of your tenant, e.g. mytenant.onmicrosoft.com

Type: String
Parameter Sets: (All)

Required: True
Position: Named
Accept pipeline input: False

-ValidYears

Number of years until expiration (default is 10, max is 30).

Type: Int
Parameter Sets: Generate Certificate

Required: False
Position: 7
Accept pipeline input: False

-AzureEnvironment

The Azure environment to use for authentication, the defaults to 'Production' which is the main Azure environment.

Type: AzureEnvironment
Parameter Sets: (All)
Aliases:
Accepted values: Production, PPE, China, Germany, USGovernment, USGovernmentHigh, USGovernmentDoD, Custom

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-LogoFilePath

Sets the logo for the Entra ID application. Provide a full path to a local image file on your disk which you want to use as the logo.

Type: String
Parameter Sets: (All)

Required: False
Position: Named
Accept pipeline input: False

-EntraIDLoginEndPoint

Sets the EntraID login endpoint to be used for creation of the app. This only works if Azure Environment parameter is set to Custom

Type: String
Parameter Sets: (All)

Required: False
Position: Named
Accept pipeline input: False

-MicrosoftGraphEndPoint

Sets the Microsoft Graph endpoint to be used for creation of the app. This only works if Azure Environment parameter is set to Custom

Type: String
Parameter Sets: (All)

Required: False
Position: Named
Accept pipeline input: False

-SignInAudience

Sets the sign in audience. Use this to make the app support Single tenant accounts, Multi-tenant accounts, Multi-tenant + personal accounts & personal accounts only.

Type: String
Parameter Sets: Generate Certificate

Required: False
Position: Named
Accept pipeline input: False

Microsoft 365 Patterns and Practices

Edit this page