Export (0) Print
Expand All
Expand Minimize

New-MsolServicePrincipal

Published: April 18, 2013

Updated: January 21, 2014

Applies To: Azure, Office 365, Windows Intune

noteNote
  • This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Microsoft Azure Active Directory for identity and directory services.

  • The Microsoft Azure Active Directory Module for Windows PowerShell cmdlets were previously known as the Microsoft Online Services Module for Windows PowerShell cmdlets.

The New-MsolServicePrincipal cmdlet creates a service principal that can be used to represent a Line Of Business (LOB) application or an on-premises server such as Microsoft Exchange, SharePoint or Lync in as Microsoft Azure Active Directory (Microsoft Azure AD) "service principal" objects. Adding a new application as a service principal allows that application to authenticate to other Microsoft Online Services.

New-MsolServicePrincipal -DisplayName <string> [-AccountEnabled <Boolean>] [-Addresses <Address[]>] [-AppPrincipalId <Guid>] [-EndDate <DateTime>] [-ServicePrincipalNames <string[]>] [-StartDate <DateTime>] [-TenantId <Guid>] [-Type <ServicePrincipalCredentialType>] [-Usage <ServicePrincipalCredentialUsage>] [-Value <string>] [<CommonParameters>]

    -AccountEnabled <Boolean>
        Specifies if the account needs to be enabled. This will be set to true 
        if not specified.
        
        Required?                    false
        Position?                    named
        Default value                true
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -Addresses <Address[]>
        List of addresses used by the application.  The list should be 
        constructed by using the New-MsolServicePrincipalAddress help cmdlet.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -AppPrincipalId <Guid>
        The unique application identifier for a service principal in a tenant. 
        Once created this property cannot be changed. If an AppPrincipalId is 
        not specified, one will be generated.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -DisplayName <string>
        The friendly name of the service principal
        
        Required?                    true
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    -EndDate <DateTime>
        The effective end date of the credential usage. The default end date 
        value is one year from today.
        
        Required?                    false
        Position?                    named
        Default value                Today + 1 year
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -ServicePrincipalNames <string[]>
        A list of service principal names (SPNs) associated with the service 
        principal.
        An SPN must be unique per company tenant and is used by an application 
        to uniquely identify itself.  By default the service principal AppID 
        is always added as an SPN.  
        An SPN must use one of the following formats "appName" or 
        "appName/hostname" or be a valid URL.  AppName represents the name of 
        the application and hostname represents the URI authority for the 
        application.  When the service principal represents a WS-Federation 
        relying party, an SPN can be set to a URL that would be treated as the 
        WS-Federation wtrealm parameter.
        
        Required?                    false
        Position?                    named
        Default value                AppId of the service principal
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -StartDate <DateTime>
        The effective start date of the credential usage. The default start 
        date value is today.
        
        Required?                    false
        Position?                    named
        Default value                Today
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -TenantId <Guid>
        The unique ID of the tenant to perform the operation on. If this is 
        not provided, then the value will default to the tenant of the current 
        user. This parameter is only applicable to partner users.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -Type <ServicePrincipalCredentialType>
        The type of credential used. The credential type can either be set to 
        "asymmetric", "symmetric" or "password".  If "asymmetric", the Value 
        parameter must be set to the public portion of a base 64 encoded X509 
        certificate.  If "symmetric", then a 256 bit AES symmetric key will be 
        generated if Value is not set.  If "password", the Value parameter 
        must be supplied and it should not be base 64 encoded.  The default 
        setting is "symmetric".
        
        Required?                    false
        Position?                    named
        Default value                symmetric
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -Usage <ServicePrincipalCredentialUsage>
        The usage of the credential key. The credential key usage can either 
        be set to "sign" or "verify" a token.  The default setting is 
        "verify".  Sign is allowed ONLY for symmetric keys.  Verify is allowed 
        for all key types.
        A "verify" credential key is required by Azure Active 
        Directory to verify that the request token was sent by your 
        application (represented by this service principal). Your application 
        may optionally require that Azure Active Directory issue 
        tokens to your application signed with your signing key rather than 
        the asymmetric public key identifying Azure Active Directory. 
        In this case, provide a "sign" credential key for your service 
        principal.
        
        Required?                    false
        Position?                    named
        Default value                verify
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    -Value <string>
        The value of the credential. If the credential type is set to 
        "asymmetric", it represents the base 64 encoded certificate. If the 
        credential type is set to "symmetric" and Value is not set, a 256 bit 
        AES key will be automatically created and valid for one year from 
        creation. If the credential type is set to "password", the Value 
        parameter must be supplied and it should not be base 64 encoded.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       true (ByPropertyName)
        Accept wildcard characters?  false
        
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer, PipelineVariable, and OutVariable. For more information, 
    see 
        about_CommonParameters 
    (http://go.microsoft.com/fwlink/?LinkID=113216).

Output is provided by Microsoft.Online.Administration.ServicePrincipalExtended. The cmdlet retrieves the service principal that it added with the following information:

  • ObjectId - The unique identifier of the service principal

  • AppPrincipalId - The application identifier of the service principal

  • DisplayName - The friendly name of the service principal

  • ServicePrincipalName - The list of service principal names (SPNs) associated with the service principal

  • TrustedForDelegation - The value indicating if the service principal is allowed for delegation

  • AccountEnabled - The value indicating if the account is enabled

The cmdlet also retrieves the list of credentials that were added. Each credential object will contain the following information:

  • Type - The type of service principal credential (Asymmetric/Symmetric/Other)

  • Value - The value of the credential. If the credential type is certificate, this represents the base 64 encoded certificate. If credential type is symmetric, it represents an AES key

  • KeyGroupId - The identifier reserved for internal use

  • KeyId - The unique identifier of the key

  • StartDate - The effective start date of the credential usage

  • EndDate - The effective end date of the credential usage

  • Usage - Specifies if the credential is used to "sign" or "verify" a token

The following command creates a new service principal. In this example, the service principal will be created with the service principal name "MyApp/Contoso.com", the display name "My Application", and will use an auto-generated 256 bit symmetric key to verify the application. This key will be valid for a year from today.

New-MsolServicePrincipal -ServicePrincipalNames @("MyApp/Contoso.com") -DisplayName "My Application"

The following command creates a new service principal. In this example, the service principal will be created with the service principal name "MyApp/Contoso.com", the display name "My Application", and will use the supplied X509 certificate "myapp.cer" that is configured with a base-64 encoded asymmetric key.

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate $cer.Import("C:\temp\myapp.cer")
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipal -ServicePrincipalNames @("MyApp/Contoso.com") -DisplayName "My Application" -Type asymmetric -Value $credValue -StartDate $cer.GetEffectiveDateString() -EndDate $cer.GetExpirationDateString()

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft