{"id":7486,"date":"2020-08-26T04:30:51","date_gmt":"2020-08-26T04:30:51","guid":{"rendered":"http:\/\/blogs.aaddevsup.xyz\/?p=7486"},"modified":"2023-03-15T20:39:12","modified_gmt":"2023-03-15T20:39:12","slug":"using-powershell-to-configure-a-signing-certificate-for-a-saml-based-sso-enterprise-application","status":"publish","type":"post","link":"https:\/\/blogs.aaddevsup.xyz\/2020\/08\/using-powershell-to-configure-a-signing-certificate-for-a-saml-based-sso-enterprise-application\/","title":{"rendered":"Using PowerShell to configure a signing certificate for a SAML-based SSO Enterprise Application"},"content":{"rendered":"\n<p>In my <a href=\"https:\/\/blogs.aaddevsup.xyz\/2020\/04\/using-powershell-to-get-azure-ad-audit-logs\/\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/blogs.aaddevsup.xyz\/2020\/04\/using-powershell-to-get-azure-ad-audit-logs\/\">last<\/a> blog post I talked about how to use PowerShell to instantiate an <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/msal-net-initializing-client-applications#initializing-a-confidential-client-application-from-code\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/msal-net-initializing-client-applications#initializing-a-confidential-client-application-from-code\">MSAL Confidential Client Application<\/a> to acquire an access token using <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-client-creds-grant-flow\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-client-creds-grant-flow\">Client Credentials Grant<\/a> flow.  In this post we will use PowerShell to instantiate an <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/msal-net-initializing-client-applications#initializing-a-public-client-application-from-code\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/msal-net-initializing-client-applications#initializing-a-public-client-application-from-code\">MSAL Public Client Application<\/a> to perform an <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow\">Authorization Code Grant<\/a> flow to obtain a delegated permission Access Token for Microsoft Graph.  We will then use that access token to call Microsoft Graph to configure a signing certificate for our SAML Application Service Principal.  Just a quick refresher that a certificate is always required when setting up SAML Sigle Sign-On feature for an Enterprise App in Azure AD.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pre-requisites<\/h3>\n\n\n\n<p>To run the script in this blog you should have the following:<\/p>\n\n\n\n<p>1) A SAML-based SSO Enterprise Application you want to configure a signing certificate for.  <strong>Get the Object ID of this Application in the Properties blade of the Enterprise App<\/strong> &#8211; we will need it for the script.  The script in this blog performs the same thing as doing the following UI action in the portal:<\/p>\n\n\n\n<p>Azure Active Directory -&gt; Enterprise Application -&gt; Pick the correct App -&gt; Single sign-on -&gt; click &#8216;Edit&#8217; link in the SAML Signing Certificate section -&gt; Import Certificate<\/p>\n\n\n\n<div class=\"img-zoom-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"357\" src=\"\/wp-content\/uploads\/2020\/08\/image-2-1024x357.png\" alt=\"\" class=\"wp-image-7488\" srcset=\"\/wp-content\/uploads\/2020\/08\/image-2-1024x357.png 1024w, \/wp-content\/uploads\/2020\/08\/image-2-300x105.png 300w, \/wp-content\/uploads\/2020\/08\/image-2-768x268.png 768w, \/wp-content\/uploads\/2020\/08\/image-2-1536x536.png 1536w, \/wp-content\/uploads\/2020\/08\/image-2.png 1587w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<p>If you are trying to automate a SAML-based SSO Application, take a look at the documentation <a href=\"https:\/\/docs.microsoft.com\/en-us\/graph\/application-saml-sso-configure-api?tabs=http#step-4-configure-signing-certificate\" target=\"_blank\" rel=\"noreferrer noopener\">Automate SAML-based SSO app configuration with Microsoft Graph API<\/a>.  This blog can help with step 4, Configure Signing Certifcate, of that article.<\/p>\n\n\n\n<p>2) An app registration to sign in a user and get an access token for Microsoft Graph.  <strong>Get the Application (client) ID of this app in the Overview section<\/strong> &#8211; we will need it for the script. This application should have the following App Registration configuration:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Supported account types<\/td><td>Accounts in this organizational directory only<\/td><\/tr><tr><td>Redirect URIs<\/td><td>http:\/\/localhost under &#8216;Mobile and desktop applications&#8217; platform<\/td><\/tr><tr><td>API permissions<\/td><td>Microsoft Graph &#8211; Delegated permissions: <strong>Application.ReadWrite.All<\/strong> and <strong>User.Read<\/strong><br>(Make sure you grant Admin consent to these permissions)<br><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>3) The user who logs in to get the MS Graph Access Token should be one of the following Azure AD Administrative Role &#8211; this is required in order to make a change to the Service Principal:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Application Administrator<\/li>\n\n\n\n<li>Application Administrator<\/li>\n\n\n\n<li>Global Administrator<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Signing Certificate<\/h3>\n\n\n\n<p>We will need to have a certificate to configure for our application.  You can either create a self-signed certificate (using either PowerShell or OpenSSL as shown below) or obtain one from your Trusted Certificate Authority.  We will need the following certificate components for our script:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>public key (typically a .cer file)<\/li>\n\n\n\n<li>private key in PKCS#12 format (in .pfx file)<\/li>\n\n\n\n<li>password for the private key (pfx file)<\/li>\n<\/ol>\n\n\n\n<p class=\"important-note\"><strong>Note<\/strong>:  It is important to have the private key in PKCS#12 format since Azure AD does not support other format types.  Using the wrong format can result in the the error &#8220;Invalid certificate: Key value is invalid certificate&#8221; when using MS Graph to PATCH the Service Principal with a keyCredentials containing the certificate info<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Using PowerShell to create a self-signed certificate<\/h4>\n\n\n\n<p>The following PowerShell script can be used to create a self-signed certificate and then export both the private key and public key out to a .pfx and and a .cer files<\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\"># fqdn - this is used for the 'issued to' and 'issued by' field of the certificate\n# pwd - password for exporting the certificate private key\n# location - path to folder where both the pfx and cer file will be written to, for example C:\\users\\john\\Documents\n\nParam(\n    [Parameter(Mandatory=$true)]\n    [string]$fqdn,\n    [Parameter(Mandatory=$true)]\n    [string]$pwd,\n    [Parameter(Mandatory=$true)]\n    [string]$location\n) \n\nif (!$PSBoundParameters.ContainsKey('location'))\n{\n    $location = \".\"\n} \n\n$cert = New-SelfSignedCertificate -certstorelocation cert:\\currentuser\\my -DnsName $fqdn\n$pwdSecure = ConvertTo-SecureString -String $pwd -Force -AsPlainText\n$path = 'cert:\\currentuser\\my\\' + $cert.Thumbprint\n$cerFile = $location + \"\\\\\" + $fqdn + \".cer\"\n$pfxFile = $location + \"\\\\\" + $fqdn + \".pfx\" \n\nExport-PfxCertificate -cert $path -FilePath $pfxFile -Password $pwdSecure\nExport-Certificate -cert $path -FilePath $cerFile<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Using OpenSSL to create a self-signed certificate<\/h4>\n\n\n\n<p>If you don&#8217;t have OpenSSL installed already, refer to the OpenSSL <a href=\"https:\/\/github.com\/openssl\/openssl\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/github.com\/openssl\/openssl\">documentation<\/a> for building and installation instruction.  For Windows users, this <a href=\"https:\/\/stackoverflow.com\/questions\/50625283\/how-to-install-openssl-in-windows-10\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/stackoverflow.com\/questions\/50625283\/how-to-install-openssl-in-windows-10\">StackOverflow discussion<\/a> has some useful information on how to download OpenSSL for Windows.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1) Run the following openssl command to create a public key file (crt) and private key file (pem) with your <span style=\"background-color:yellow\">info<\/span>.  See https:\/\/www.digicert.com\/kb\/ssl-support\/openssl-quick-reference-guide.htm for some openssl reference guide.\n\n<strong>openssl<\/strong> req-x509 -sha256 -days 365 -newkey rsa:2048 -keyout \"<span style=\"background-color:yellow\">C:\\Users\\path\\privateKey.key<\/span>\" -out \"<span style=\"background-color:yellow\">C:\\Users\\path\\certificate.crt<\/span>\" -subj '<span style=\"background-color:yellow\">\/C=your country\/ST=your state\/L=your locality\/O=Your Company, Inc.\/OU=your Organizational Unit\/CN=yourdomain.com<\/span>'\n\n2) convert the pem file to pfx file with your <span style=\"background-color:yellow\">info<\/span>:\n\n<strong>openssl<\/strong> pkcs12 -export -out \"<span style=\"background-color:yellow\">C:\\Users\\path\\certificate.pfx<\/span>\" -inkey \"<span style=\"background-color:yellow\">C:\\Users\\path\\privateKey.key<\/span>\" -in \"<span style=\"background-color:yellow\">C:\\Users\\path\\certificate.crt<\/span>\" -passout pass:<span style=\"background-color:yellow\">your password<\/span> -passin pass:<span style=\"background-color:yellow\">your password<\/span><\/pre>\n\n\n\n<p>3) convert the crt file to DER encoded binary X.509 .cer file:<\/p>\n\n\n\n<p>On Windows, double-click on the crt file to launch the certificate wizard.  Go to &#8216;Details&#8217; tab and click on &#8216;Copy to File&#8230;&#8217; button:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"403\" height=\"516\" src=\"\/wp-content\/uploads\/2020\/08\/image-3.png\" alt=\"\" class=\"wp-image-7506\" srcset=\"\/wp-content\/uploads\/2020\/08\/image-3.png 403w, \/wp-content\/uploads\/2020\/08\/image-3-234x300.png 234w\" sizes=\"(max-width: 403px) 100vw, 403px\" \/><\/figure>\n\n\n\n<p>Click &#8216;Next&#8217; on the &#8216;Welcome to the Certificate Export Wizard&#8217; page.  Choose &#8216;DER encoded binary X.509 (cer)&#8217; option and save to cer file.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"534\" height=\"500\" src=\"\/wp-content\/uploads\/2020\/08\/image-4.png\" alt=\"\" class=\"wp-image-7507\" srcset=\"\/wp-content\/uploads\/2020\/08\/image-4.png 534w, \/wp-content\/uploads\/2020\/08\/image-4-300x281.png 300w\" sizes=\"(max-width: 534px) 100vw, 534px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring the signing certificate using the MS Graph request<\/h3>\n\n\n\n<p>At this point we should have a pfx file, a cer file, and a pfx file password.  We will use all of this information to construct the following MS Graph request:<\/p>\n\n\n\n<p>PATCH <strong>https:\/\/graph.microsoft.com\/v1.0\/serviceprincipals\/&lt;Service Principal Object ID&gt;<\/strong><\/p>\n\n\n\n<p>Request body:<\/p>\n\n\n\n<p class=\"important-note\"><strong>Note<\/strong>:  This is not a complete request body.  For brevity, I am only emphasizing the main part related to private and public key.<\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">{\n    \"keyCredentials\":[\n        {\n\t    ...\n            \"type\": \"AsymmetricX509Cert\",\n            \"usage\": \"Sign\",\n            \"key\": Base64-encoded private key\n\n        },\n        {\n\t    ...\n            \"type\": \"AsymmetricX509Cert\",\n            \"usage\": \"Verify\",\n            \"key\": Base64-encoded public key\n\n        }\n    ],\n    \"passwordCredentials\": [\n        {\n\t    ...\n            \"secretText\": \"password for the pfx file\"\n        }\n    ]\n}<\/pre>\n\n\n\n<p class=\"important-note\"><strong>Note<\/strong>:  the passwordCredentials is <a href=\"https:\/\/github.com\/MicrosoftDocs\/azure-docs\/issues\/59275\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"https:\/\/github.com\/MicrosoftDocs\/azure-docs\/issues\/59275\">required<\/a> in the above request.  Omitting it may result in the error &#8220;The value for the property \\&#8221;usage\\&#8221; in one of your credentials is invalid. Acceptable values are Sign, Verify.&#8221;<\/p>\n\n\n\n<p>There is also a PowerShell script to generate the above json body from the certificate files located <a href=\"https:\/\/gist.github.com\/bachoang\/30a882b5c70ca5b3852a23647fb6e4a8\" target=\"_blank\" rel=\"noopener\" title=\"here\">here<\/a>.<\/p>\n\n\n\n<p>Use the following PowerShell script with your info to send a PATCH request to configure the signing certificate for this SAML Application.  The script will attempt to download MSAL.Net module if it does not already exist on the machine and then use MSAL.Net to sign in to Azure AD.  You may need to run the following commands first to update both Nuget package and PowerShellGet.<\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">## Update Nuget Package and PowerShellGet Module\nInstall-PackageProvider NuGet -Force\nInstall-Module PowerShellGet -Force<\/pre>\n\n\n\n<p class=\"important-note\" id=\"important-note\"><strong>Note<\/strong>:  this script will replace the current keyCredentials and passwordCredentials configured for this Service Principal.  If you need to do an append operation, you will need to get the current selection first and append it to the payload.<\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">$ClientID = \"&lt;client ID>\"\n$loginURL       = \"https:\/\/login.microsoftonline.com\"\n$tenantdomain   = \"&lt;tenant>.onmicrosoft.com\"\n$redirectURL = \"http:\/\/localhost\" # this reply URL is needed for PowerShell Core \n[string[]] $Scopes = \"https:\/\/graph.microsoft.com\/.default\"\n$pfxpath = \"C:\\Users\\path\\certificate.pfx\" # path to pfx file\n$cerpath = \"C:\\Users\\path\\certificate.cer\" # path to cer file\n$SPOID = \"&lt;Service Principal Object ID>\"\n$graphuri = \"https:\/\/graph.microsoft.com\/v1.0\/serviceprincipals\/$SPOID\"\n$password = \"&lt;password for pfx file>\"  # password for the pfx file\n$CertDisplayName = \"CN = &lt;Your Cert Display Name>\" # \"CN=contoso\"\n\n\n# choose the correct folder name for MSAL based on PowerShell version 5.1 (.Net) or PowerShell Core (.Net Core)\n# script is tested on both PS 5.1 and PS Core 7\n\nif ($PSVersionTable.PSVersion.Major -gt 5)\n    { \n        $core = $true\n        $foldername =  \"netcoreapp2.1\"\n    }\nelse \n    { \n        $core = $false\n        $foldername = \"net45\"\n    }\n\n\n# Download MSAL.Net module to a local folder if it does not exist there\nif ( ! (Get-ChildItem $HOME\/MSAL\/lib\/Microsoft.Identity.Client.* -erroraction ignore) ) {\n    install-package -Source nuget.org -ProviderName nuget -SkipDependencies Microsoft.Identity.Client -Destination $HOME\/MSAL\/lib -force -forcebootstrap | out-null\n}\n \n# Load the MSAL assembly -- needed once per PowerShell session\n[System.Reflection.Assembly]::LoadFrom((Get-ChildItem $HOME\/MSAL\/lib\/Microsoft.Identity.Client.*\/lib\/$foldername\/Microsoft.Identity.Client.dll).fullname) | out-null\n \n$global:app = $null\n \n$ClientApplicationBuilder = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($ClientID)\n[void]$ClientApplicationBuilder.WithAuthority($(\"$loginURL\/$tenantdomain\"))\n[void]$ClientApplicationBuilder.WithRedirectUri($redirectURL)\n\n\n$global:app = $ClientApplicationBuilder.Build()\n \nFunction Get-GraphAccessTokenFromMSAL {\n    [Microsoft.Identity.Client.AuthenticationResult] $authResult  = $null\n    $AquireTokenParameters = $global:app.AcquireTokenInteractive($Scopes)\n    [IntPtr] $ParentWindow = [System.Diagnostics.Process]::GetCurrentProcess().MainWindowHandle\n    if ($ParentWindow)\n    {\n        [void]$AquireTokenParameters.WithParentActivityOrWindow($ParentWindow)\n    }\n    try {\n        $authResult = $AquireTokenParameters.ExecuteAsync().GetAwaiter().GetResult()\n    }\n    catch {\n        $ErrorMessage = $_.Exception.Message\n        Write-Host $ErrorMessage\n    }\n    \n    return $authResult\n}\n \n$myvar = Get-GraphAccessTokenFromMSAL\nif ($myvar)\n{\n    $GraphAccessToken = $myvar.AccessToken\n    Write-Host \"Access Token: \" $myvar.AccessToken\n\n    #  this is for PowerShell Core\n    $Secure_String_Pwd = ConvertTo-SecureString $password -AsPlainText -Force\n\n    # reading certificate files and creating Certificate Object\n    if ($core)\n    {\n        $pfx_cert = get-content $pfxpath -AsByteStream -Raw\n        $cer_cert = get-content $cerpath -AsByteStream -Raw\n        $cert = Get-PfxCertificate -FilePath $pfxpath -Password $Secure_String_Pwd\n    }\n    else \n    {\n        $pfx_cert = get-content $pfxpath -Encoding Byte\n        $cer_cert = get-content $cerpath -Encoding Byte\n        # Write-Host \"Enter password for the pfx file...\"\n        # calling Get-PfxCertificate in PowerShell 5.1 prompts for password\n        # $cert = Get-PfxCertificate -FilePath $pfxpath\n        $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pfxpath, $password)\n    }\n\n    # base 64 encode the private key and public key\n    $base64pfx = [System.Convert]::ToBase64String($pfx_cert)\n    $base64cer = [System.Convert]::ToBase64String($cer_cert)\n\n    # getting id for the keyCredential object\n    $guid1 = New-Guid\n    $guid1 = $guid1.ToString()\n    $guid2 = New-Guid\n    $guid2 = $guid2.ToString()\n\n    # get the custom key identifier from the certificate thumbprint:\n    $hasher = [System.Security.Cryptography.HashAlgorithm]::Create('sha256')\n    $hash = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($cert.Thumbprint))\n    $customKeyIdentifier = [System.Convert]::ToBase64String($hash)\n\n    # get end date and start date for our keycredentials\n    $endDateTime = ($cert.NotAfter).ToUniversalTime().ToString( \"yyyy-MM-ddTHH:mm:ssZ\" )\n    $startDateTime = ($cert.NotBefore).ToUniversalTime().ToString( \"yyyy-MM-ddTHH:mm:ssZ\" )\n\n    # building our json payload\n    $object = [ordered]@{    \n    keyCredentials = @(       \n         [ordered]@{            \n            customKeyIdentifier = $customKeyIdentifier\n            endDateTime = $endDateTime\n            keyId = $guid1\n            startDateTime = $startDateTime  \n            type = \"AsymmetricX509Cert\" \n            usage = \"Sign\"\n            key = $base64pfx\n            displayName = $CertDisplayName  \n        },\n        [ordered]@{            \n            customKeyIdentifier = $customKeyIdentifier\n            endDateTime = $endDateTime\n            keyId = $guid2\n            startDateTime = $startDateTime  \n            type = \"AsymmetricX509Cert\" \n            usage = \"Verify\"\n            key = $base64cer\n            displayName = $CertDisplayName    \n        }\n        )  \n    passwordCredentials = @(\n        [ordered]@{\n            customKeyIdentifier = $customKeyIdentifier\n            keyId = $guid1            \n            endDateTime = $endDateTime\n            startDateTime = $startDateTime\n            secretText = $password \n        }\n    )\n    }\n\n    $json = $object | ConvertTo-Json -Depth 99\n    Write-Host \"JSON Payload:\"\n    Write-Output $json\n\n    # Request Header\n    $Header = @{}\n    $Header.Add(\"Authorization\",\"Bearer $($GraphAccessToken)\")\n    $Header.Add(\"Content-Type\",\"application\/json\")\n\n    try \n    {\n        Invoke-RestMethod -Uri $graphuri -Method \"PATCH\" -Headers $Header -Body $json\n    } \n    catch \n    {\n        # Dig into the exception to get the Response details.\n        # Note that value__ is not a typo.\n        Write-Host \"StatusCode:\" $_.Exception.Response.StatusCode.value__ \n        Write-Host \"StatusDescription:\" $_.Exception.Response.StatusDescription\n    }\n\n    Write-Host \"Complete Request\"\n}\nelse \n{\n    Write-Host \"Fail to get Access Token\"\n}\n<\/pre>\n\n\n\n<p>If the script completes successfully we should see the thumbprint of our certificate showing up for this application:<\/p>\n\n\n\n<div class=\"img-zoom-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"303\" src=\"\/wp-content\/uploads\/2020\/08\/image-5-1024x303.png\" alt=\"\" class=\"wp-image-7525\" srcset=\"\/wp-content\/uploads\/2020\/08\/image-5-1024x303.png 1024w, \/wp-content\/uploads\/2020\/08\/image-5-300x89.png 300w, \/wp-content\/uploads\/2020\/08\/image-5-768x227.png 768w, \/wp-content\/uploads\/2020\/08\/image-5.png 1037w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Last Updated on 8\/19\/2022<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my last blog post I talked about how to use PowerShell to instantiate an MSAL Confidential Client Application to acquire an access token using Client Credentials Grant flow. In this post we will use PowerShell to instantiate an MSAL Public Client Application to perform an Authorization Code Grant flow to obtain a delegated permission Access Token for Microsoft Graph. We will then use that access token to call Microsoft&hellip;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,210,10,179,225],"tags":[60,100,186,115,223],"class_list":["post-7486","post","type-post","status-publish","format-standard","hentry","category-authentication-flows","category-azure-ad","category-enterprise-application","category-microsoftgraph","category-msal","category-powershell","tag-enterprise-application","tag-microsoft-graph","tag-msal-net","tag-powershell","tag-sso"],"_links":{"self":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/7486"}],"collection":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/comments?post=7486"}],"version-history":[{"count":47,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/7486\/revisions"}],"predecessor-version":[{"id":9305,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/7486\/revisions\/9305"}],"wp:attachment":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/media?parent=7486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/categories?post=7486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/tags?post=7486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}