{"id":25190133,"url":"https://github.com/keyfactor/azure-application-orchestrator","last_synced_at":"2026-05-01T17:01:19.532Z","repository":{"id":229909153,"uuid":"633071743","full_name":"Keyfactor/azure-application-orchestrator","owner":"Keyfactor","description":"Keyfactor orchestrator extension to inventory and manage Azure App Registration/Application, and Azure Enterprise Application/Service Principal certificates","archived":false,"fork":false,"pushed_at":"2026-05-01T15:08:05.000Z","size":1829,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-05-01T16:31:13.828Z","etag":null,"topics":["keyfactor-universal-orchestrator"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keyfactor.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-04-26T18:08:38.000Z","updated_at":"2026-03-17T20:03:20.000Z","dependencies_parsed_at":"2026-03-13T00:00:46.738Z","dependency_job_id":null,"html_url":"https://github.com/Keyfactor/azure-application-orchestrator","commit_stats":null,"previous_names":["keyfactor/azure-application-orchestrator"],"tags_count":74,"template":false,"template_full_name":null,"purl":"pkg:github/Keyfactor/azure-application-orchestrator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fazure-application-orchestrator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fazure-application-orchestrator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fazure-application-orchestrator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fazure-application-orchestrator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keyfactor","download_url":"https://codeload.github.com/Keyfactor/azure-application-orchestrator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fazure-application-orchestrator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32505110,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keyfactor-universal-orchestrator"],"created_at":"2025-02-09T21:19:02.233Z","updated_at":"2026-05-01T17:01:19.418Z","avatar_url":"https://github.com/Keyfactor.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\" style=\"border-bottom: none\"\u003e\n    Azure App Registration and Enterprise Application Universal Orchestrator Extension\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003c!-- Badges --\u003e\n\u003cimg src=\"https://img.shields.io/badge/integration_status-production-3D1973?style=flat-square\" alt=\"Integration Status: production\" /\u003e\n\u003ca href=\"https://github.com/Keyfactor/azure-application-orchestrator/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/Keyfactor/azure-application-orchestrator?style=flat-square\" alt=\"Release\" /\u003e\u003c/a\u003e\n\u003cimg src=\"https://img.shields.io/github/issues/Keyfactor/azure-application-orchestrator?style=flat-square\" alt=\"Issues\" /\u003e\n\u003cimg src=\"https://img.shields.io/github/downloads/Keyfactor/azure-application-orchestrator/total?style=flat-square\u0026label=downloads\u0026color=28B905\" alt=\"GitHub Downloads (all assets, all releases)\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003c!-- TOC --\u003e\n  \u003ca href=\"#support\"\u003e\n    \u003cb\u003eSupport\u003c/b\u003e\n  \u003c/a\u003e\n  ·\n  \u003ca href=\"#installation\"\u003e\n    \u003cb\u003eInstallation\u003c/b\u003e\n  \u003c/a\u003e\n  ·\n  \u003ca href=\"#license\"\u003e\n    \u003cb\u003eLicense\u003c/b\u003e\n  \u003c/a\u003e\n  ·\n  \u003ca href=\"https://github.com/orgs/Keyfactor/repositories?q=orchestrator\"\u003e\n    \u003cb\u003eRelated Integrations\u003c/b\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n## Overview\n\nThe Azure App Registration and Enterprise Application Orchestrator extension remotely manages both\nAzure [App Registration/Application](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials)\ncertificates\nand [Enterprise Application/Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/enterprise-apps-certificate-credentials)\ncertificates. Application certificates are typically public key only and used for client certificate authentication,\nwhile Service Principal certificates are commonly used\nfor [SAML Assertion signing](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on).\nThe extension implements the Inventory, Management Add, Management Remove and Discovery job types.\n\nCertificates used for client authentication by Applications (configured in App Registrations) are represented by the [\n`AzureApp` store type](docs/azureapp.md), and certificates used for SSO/SAML assertion signing are represented by the [\n`AzureSP` store type](docs/azuresp.md). Both store types are managed by the same extension. The extension is configured\nwith a single Azure Service Principal used to authenticate to\nthe [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/use-the-api). The Azure App Registration and\nEnterprise Application Orchestrator extension manages certificates for Azure App Registrations (Applications) and\nEnterprise Applications (Service Principals) differently.\n\nThe Azure App Registration and Enterprise Application Universal Orchestrator extension implements 4 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.\n\n- [Azure App Registration (Application)](#AzureApp)\n\n- [Azure Enterprise Application (Service Principal)](#AzureSP)\n\n- [Azure App Registration 2 (Application)](#AzureApp2)\n\n- [Azure Enterprise Application 2 (Service Principal)](#AzureSP2)\n\n\n## Compatibility\n\nThis integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.\n\n## Support\nThe Azure App Registration and Enterprise Application Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.\n\n\u003e If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab.\n\n## Requirements \u0026 Prerequisites\n\nBefore installing the Azure App Registration and Enterprise Application Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.\n\n\n### Azure Service Principal (Graph API Authentication)\n\nThe Azure App Registration and Enterprise Application Orchestrator extension uses\nan [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser)\nfor authentication.\nFollow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal)\nto create a service principal. Currently, both Client Secret authentication and Client Certificate authentication (mTLS)\nare supported.\n\nThe Service Principal must have the following API Permission:\n\n- **_Microsoft Graph Application Permissions_**:\n    - `Application.ReadWrite.All` (_not_ Delegated; Admin Consent)—Allows the app to create, read, update and delete\n      applications and service principals without a signed-in user.\n\n\u003e [!NOTE]\n\u003e For more information on Admin Consent for App-only access (also called \"Application Permissions\"), see\n\u003e the [primer on application-only access](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-only-access-primer).\n\nAlternatively, the Service Principal can be granted the `Application.ReadWrite.OwnedBy` permission if the Service\nPrincipal is only intended to manage its own App Registration/Application.\n\n#### Client Certificate or Client Secret\n\nBeginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports\nboth [client certificate authentication](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate)\nand [client secret](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret)\nauthentication.\n\n* **Client Secret—** Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret)\n  to create a Client Secret. This secret will be used as the **Server Password** field in\n  the [Certificate Store Configuration](#certificate-store-configuration) section.\n* **Client Certificate—** Create a client certificate key pair with the Client Authentication extended key usage. The\n  client certificate will be used in the ClientCertificate field in\n  the [Certificate Store Configuration](#certificate-store-configuration) section. If you have access to Keyfactor\n  Command, the instructions in this section walk you through enrolling a certificate and ensuring that it's in the\n  correct format. Once enrolled,\n  follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate)\n  to add the _public key_ certificate (no private key) to the service principal used for authentication.\n\n  The certificate can be in either of the following formats:\n    * Base64-encoded PKCS#12 (PFX) with a matching private key.\n    * Base64-encoded PEM-encoded certificate _and_ PEM-encoded PKCS8 private key. Make sure that the certificate and\n      private key are separated with a newline. The order doesn't matter; the extension will determine which is which.\n\n  If the private key is encrypted, the encryption password will replace the **Server Password** field in\n  the [Certificate Store Configuration](#certificate-store-configuration) section.\n\n#### Creating and Formatting a Client Certificate using Keyfactor Command\n\nTo get started quickly, you can follow the instructions below to create and properly format a client certificate to\nauthenticate to the Microsoft Graph API.\n\n1. In Keyfactor Command, hover over **Enrollment** and select **PFX Enrollment**.\n2. Select a **Template** that supports Client Authentication as an extended key usage.\n3. Populate the certificate subject as appropriate for the Template. It may be enough to only populate the Common\n     Name, but consult your IT policy to ensure that this certificate is compliant.\n4. At the bottom of the page, uncheck the box for **Include Chain**, and select either **PFX** or **PEM** as the\n     certificate Format.\n5. Make a note of the password on the next page *it won't be shown again*.\n6. Prepare the certificate and private key for Azure and the Orchestrator extension:\n     \n   * If you downloaded the certificate in PEM format, use the commands below:\n  \n       ```shell\n          # Verify that the certificate downloaded from Command contains the certificate and private key. They should be in the same file\n          cat \u003cyour_certificate.pem\n\n          # Separate the certificate from the private key\n          openssl x509 -in \u003cyour_certificate.pem-out pubkeycert.pem\n\n          # Base64 encode the certificate and private key\n          cat \u003cyour_certificate.pem| base64 clientcertkeypair.pem.base64\n      ```\n\n      * If you downloaded the certificate in PFX format, use the commands below:\n       \n      ```shell\n          # Export the certificate from the PFX file\n          openssl pkcs12 -in \u003cyour_certificate.pfx-clcerts -nokeys -out pubkeycert.pem\n\n          # Base64 encode the PFX file\n          cat \u003cyour_certificate.pfx| base64 clientcert.pfx.base64\n       ```\n     \n7. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate)\nto add the public key certificate to the service principal used for authentication.\n\nYou will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in\nthe [Certificate Store Configuration](#certificate-store-configuration) section.\n\nThe Azure App Registration and Enterprise Application Orchestrator extension uses\nthe [Microsoft Dotnet Graph SDK](https://learn.microsoft.com/en-us/graph/sdks/sdks-overview) to interact with the\nMicrosoft Graph API. The extension uses the following Graph API endpoints to manage Application certificates:\n\n* [Get Application](https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0\u0026tabs=http) - Used to\n  get the Object ID of the App Registration and to download the certificates owned by the App Registration.\n* [Update Application](https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0\u0026tabs=http) - Used to modify the App Registration to add or remove certificates.\n    * Specifically, the extension manipulates the [`keyCredentials` resource](https://learn.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0) of the Application object.\n\n\n## Certificate Store Types\n\nTo use the Azure App Registration and Enterprise Application Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.\n\nThe Azure App Registration and Enterprise Application Universal Orchestrator extension implements 4 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types.\n\n### AzureApp\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nAzure [App Registration/Application certificates](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials)\nare typically used for client authentication by applications and are typically public key only in Azure. The general\nmodel by which these credentials are consumed is that the certificate and private key are accessible by the Application\nusing the App Registration, and are passed to the service authenticating the Application. The Azure App\nRegistration and Enterprise Application Orchestrator extension implements the Inventory, Management Add, Management\nRemove, and Discovery job types for managing these certificates.\n\n\u003e [!WARNING]\n\u003e AzureApp \"Azure App Registration (Application)\" is **Deprecated**. Please use **AzureApp2** \"Azure App\n\u003e Registration 2 (Application)\" instead.\n\n\n\n\n#### Azure App Registration (Application) Requirements\n\nApplication certificates are used for client authentication and are typically public key only. No additional\nconfiguration in Azure is necessary to manage Application certificates since all App Registrations can contain any\nnumber\nof [Certificates and Secrets](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-credentials).\nUnless the Discovery job is used, you should collect the Application IDs for each App Registration that contains\ncertificates to be managed.\n\n\n\n#### Supported Operations\n\n| Operation    | Is Supported                                                                                                           |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add          | ✅ Checked        |\n| Remove       | ✅ Checked     |\n| Discovery    | ✅ Checked  |\n| Reenrollment | 🔲 Unchecked |\n| Create       | 🔲 Unchecked     |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n   \u003cdetails\u003e\u003csummary\u003eClick to expand AzureApp kfutil details\u003c/summary\u003e\n\n   ##### Using online definition from GitHub:\n   This will reach out to GitHub and pull the latest store-type definition\n   ```shell\n   # Azure App Registration (Application)\n   kfutil store-types create AzureApp\n   ```\n\n   ##### Offline creation using integration-manifest file:\n   If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n   You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n   in your offline environment.\n   ```shell\n   kfutil store-types create --from-file integration-manifest.json\n   ```\n   \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the AzureApp store type manually in\nthe Keyfactor Command Portal\n   \u003cdetails\u003e\u003csummary\u003eClick to expand manual AzureApp details\u003c/summary\u003e\n\n   Create a store type called `AzureApp` with the attributes in the tables below:\n\n   ##### Basic Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Name | Azure App Registration (Application) | Display name for the store type (may be customized) |\n   | Short Name | AzureApp | Short display name for the store type |\n   | Capability | AzureApp | Store type name orchestrator will register with. Check the box to allow entry of value |\n   | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n   | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n   | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n   | Supports Reenrollment | 🔲 Unchecked |  Indicates that the Store Type supports Reenrollment |\n   | Supports Create | 🔲 Unchecked |  Indicates that the Store Type supports store creation |\n   | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n   | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n   | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n   | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n   | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n   The Basic tab should look like this:\n\n   ![AzureApp Basic Tab](docsource/images/AzureApp-basic-store-type-dialog.png)\n\n   ##### Advanced Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n   | Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n   | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n   The Advanced tab should look like this:\n\n   ![AzureApp Advanced Tab](docsource/images/AzureApp-advanced-store-type-dialog.png)\n\n   \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n   ##### Custom Fields Tab\n   Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n   | Name | Display Name | Description | Type | Default Value/Options | Required |\n   | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n   | ServerUsername | Server Username | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | Secret |  | ✅ Checked |\n   | ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. | Secret |  | 🔲 Unchecked |\n   | ClientCertificate | Client Certificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. | Secret |  | 🔲 Unchecked |\n   | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked |\n   | ServerUseSsl | Use SSL | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | Bool | true | ✅ Checked |\n\n   The Custom Fields tab should look like this:\n\n   ![AzureApp Custom Fields Tab](docsource/images/AzureApp-custom-fields-store-type-dialog.png)\n\n\n   ###### Server Username\n   The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Server Password\n   A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Client Certificate\n   The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field.\n\n   ![AzureApp Custom Field - ClientCertificate](docsource/images/AzureApp-custom-field-ClientCertificate-dialog.png)\n   ![AzureApp Custom Field - ClientCertificate](docsource/images/AzureApp-custom-field-ClientCertificate-validation-options-dialog.png)\n\n\n\n   ###### Azure Global Cloud Authority Host\n   Specifies the Azure Cloud instance used by the organization.\n\n   ![AzureApp Custom Field - AzureCloud](docsource/images/AzureApp-custom-field-AzureCloud-dialog.png)\n   ![AzureApp Custom Field - AzureCloud](docsource/images/AzureApp-custom-field-AzureCloud-validation-options-dialog.png)\n\n\n\n   ###### Use SSL\n   Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.\n\n   ![AzureApp Custom Field - ServerUseSsl](docsource/images/AzureApp-custom-field-ServerUseSsl-dialog.png)\n   ![AzureApp Custom Field - ServerUseSsl](docsource/images/AzureApp-custom-field-ServerUseSsl-validation-options-dialog.png)\n\n\n\n\n\n   \u003c/details\u003e\n\u003c/details\u003e\n\n### AzureSP\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe Azure Enterprise Application/Service Principal certificate operations are implemented by the `AzureSP` store type,\nand supports the management of a single certificate for use in `SSO/SAML` assertion signing. The Management Add\noperation is only supported with the certificate replacement option, since adding a new certificate will replace the\nexisting\ncertificate. The Add operation will also set newly added certificates as the active certificate for SSO/SAML usage. The\nManagement Remove operation removes the certificate from the Enterprise Application/Service Principal, which is the same\nas removing the SSO/SAML signing certificate. The Discovery operation discovers all Enterprise Applications/Service\nPrincipals in the tenant.\n\n\u003e [!WARNING]\n\u003e AzureSP \"Azure Enterprise Application (Service Principal)\" is **Deprecated**. Please use **AzureSP2** Azure\n\u003e \"Enterprise Application 2 (Service Principal)\" instead.\n\n\n\n\n#### Azure Enterprise Application (Service Principal) Requirements\n\nService Principal certificates are typically used for SAML Token signing. Service Principals are created from Enterprise\nApplications and will mostly be configured with a variation of\nMicrosoft's [SAML-based single sign-on](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal)\ndocumentation. For more information on the mechanics of the Service Principal certificate management capabilities,\nplease see the [mechanics](#extension-mechanics) section.\n\n\n\n#### Supported Operations\n\n| Operation    | Is Supported                                                                                                           |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add          | ✅ Checked        |\n| Remove       | ✅ Checked     |\n| Discovery    | ✅ Checked  |\n| Reenrollment | 🔲 Unchecked |\n| Create       | 🔲 Unchecked     |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n   \u003cdetails\u003e\u003csummary\u003eClick to expand AzureSP kfutil details\u003c/summary\u003e\n\n   ##### Using online definition from GitHub:\n   This will reach out to GitHub and pull the latest store-type definition\n   ```shell\n   # Azure Enterprise Application (Service Principal)\n   kfutil store-types create AzureSP\n   ```\n\n   ##### Offline creation using integration-manifest file:\n   If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n   You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n   in your offline environment.\n   ```shell\n   kfutil store-types create --from-file integration-manifest.json\n   ```\n   \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the AzureSP store type manually in\nthe Keyfactor Command Portal\n   \u003cdetails\u003e\u003csummary\u003eClick to expand manual AzureSP details\u003c/summary\u003e\n\n   Create a store type called `AzureSP` with the attributes in the tables below:\n\n   ##### Basic Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Name | Azure Enterprise Application (Service Principal) | Display name for the store type (may be customized) |\n   | Short Name | AzureSP | Short display name for the store type |\n   | Capability | AzureSP | Store type name orchestrator will register with. Check the box to allow entry of value |\n   | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n   | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n   | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n   | Supports Reenrollment | 🔲 Unchecked |  Indicates that the Store Type supports Reenrollment |\n   | Supports Create | 🔲 Unchecked |  Indicates that the Store Type supports store creation |\n   | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n   | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n   | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n   | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n   | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n   The Basic tab should look like this:\n\n   ![AzureSP Basic Tab](docsource/images/AzureSP-basic-store-type-dialog.png)\n\n   ##### Advanced Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n   | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n   | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n   The Advanced tab should look like this:\n\n   ![AzureSP Advanced Tab](docsource/images/AzureSP-advanced-store-type-dialog.png)\n\n   \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n   ##### Custom Fields Tab\n   Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n   | Name | Display Name | Description | Type | Default Value/Options | Required |\n   | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n   | ServerUsername | Server Username | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | Secret |  | ✅ Checked |\n   | ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. | Secret |  | 🔲 Unchecked |\n   | ClientCertificate | Client Certificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. | Secret |  | 🔲 Unchecked |\n   | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked |\n   | ServerUseSsl | Use SSL | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | Bool | true | ✅ Checked |\n\n   The Custom Fields tab should look like this:\n\n   ![AzureSP Custom Fields Tab](docsource/images/AzureSP-custom-fields-store-type-dialog.png)\n\n\n   ###### Server Username\n   The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Server Password\n   A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Client Certificate\n   The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field.\n\n   ![AzureSP Custom Field - ClientCertificate](docsource/images/AzureSP-custom-field-ClientCertificate-dialog.png)\n   ![AzureSP Custom Field - ClientCertificate](docsource/images/AzureSP-custom-field-ClientCertificate-validation-options-dialog.png)\n\n\n\n   ###### Azure Global Cloud Authority Host\n   Specifies the Azure Cloud instance used by the organization.\n\n   ![AzureSP Custom Field - AzureCloud](docsource/images/AzureSP-custom-field-AzureCloud-dialog.png)\n   ![AzureSP Custom Field - AzureCloud](docsource/images/AzureSP-custom-field-AzureCloud-validation-options-dialog.png)\n\n\n\n   ###### Use SSL\n   Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.\n\n   ![AzureSP Custom Field - ServerUseSsl](docsource/images/AzureSP-custom-field-ServerUseSsl-dialog.png)\n   ![AzureSP Custom Field - ServerUseSsl](docsource/images/AzureSP-custom-field-ServerUseSsl-validation-options-dialog.png)\n\n\n\n\n\n   \u003c/details\u003e\n\u003c/details\u003e\n\n### AzureApp2\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nAzure [App Registration/Application certificates](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials)\nare typically used for client authentication by applications and are typically public key only in Azure. The general\nmodel by which these credentials are consumed is that the certificate and private key are accessible by the Application\nusing the App Registration, and are passed to the service authenticating the Application. The Azure App\nRegistration and Enterprise Application Orchestrator extension implements the Inventory, Management Add, Management\nRemove, and Discovery job types for managing these certificates.\n\n\n\n\n#### Azure App Registration 2 (Application) Requirements\n\nApplication certificates are used for client authentication and are typically public key only. No additional\nconfiguration in Azure is necessary to manage Application certificates since all App Registrations can contain any\nnumber\nof [Certificates and Secrets](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-credentials).\nUnless the Discovery job is used, you should collect the Application IDs for each App Registration that contains\ncertificates to be managed.\n\n\n\n#### Supported Operations\n\n| Operation    | Is Supported                                                                                                           |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add          | ✅ Checked        |\n| Remove       | ✅ Checked     |\n| Discovery    | ✅ Checked  |\n| Reenrollment | 🔲 Unchecked |\n| Create       | 🔲 Unchecked     |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n   \u003cdetails\u003e\u003csummary\u003eClick to expand AzureApp2 kfutil details\u003c/summary\u003e\n\n   ##### Using online definition from GitHub:\n   This will reach out to GitHub and pull the latest store-type definition\n   ```shell\n   # Azure App Registration 2 (Application)\n   kfutil store-types create AzureApp2\n   ```\n\n   ##### Offline creation using integration-manifest file:\n   If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n   You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n   in your offline environment.\n   ```shell\n   kfutil store-types create --from-file integration-manifest.json\n   ```\n   \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the AzureApp2 store type manually in\nthe Keyfactor Command Portal\n   \u003cdetails\u003e\u003csummary\u003eClick to expand manual AzureApp2 details\u003c/summary\u003e\n\n   Create a store type called `AzureApp2` with the attributes in the tables below:\n\n   ##### Basic Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Name | Azure App Registration 2 (Application) | Display name for the store type (may be customized) |\n   | Short Name | AzureApp2 | Short display name for the store type |\n   | Capability | AzureApp2 | Store type name orchestrator will register with. Check the box to allow entry of value |\n   | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n   | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n   | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n   | Supports Reenrollment | 🔲 Unchecked |  Indicates that the Store Type supports Reenrollment |\n   | Supports Create | 🔲 Unchecked |  Indicates that the Store Type supports store creation |\n   | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n   | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n   | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n   | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n   | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n   The Basic tab should look like this:\n\n   ![AzureApp2 Basic Tab](docsource/images/AzureApp2-basic-store-type-dialog.png)\n\n   ##### Advanced Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n   | Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n   | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n   The Advanced tab should look like this:\n\n   ![AzureApp2 Advanced Tab](docsource/images/AzureApp2-advanced-store-type-dialog.png)\n\n   \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n   ##### Custom Fields Tab\n   Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n   | Name | Display Name | Description | Type | Default Value/Options | Required |\n   | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n   | ServerUsername | Server Username | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/App Registration certificates. | Secret |  | ✅ Checked |\n   | ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/App Registration certificates. If Client Certificate Auth is used, you **must** select 'No Value'. | Secret |  | 🔲 Unchecked |\n   | ClientCertificate | Client Certificate | The client certificate used to authenticate with Microsoft Graph for managing Application/App Registrations certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. | Secret |  | 🔲 Unchecked |\n   | ClientCertificatePassword | Client Certificate Password | The (optional) password that encrypts the private key in ClientCertificate.  If Client Certificate Auth is not used, you **must** check 'No Value'. | Secret |  | 🔲 Unchecked |\n   | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked |\n\n   The Custom Fields tab should look like this:\n\n   ![AzureApp2 Custom Fields Tab](docsource/images/AzureApp2-custom-fields-store-type-dialog.png)\n\n\n   ###### Server Username\n   The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/App Registration certificates.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Server Password\n   A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/App Registration certificates. If Client Certificate Auth is used, you **must** select 'No Value'.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Client Certificate\n   The client certificate used to authenticate with Microsoft Graph for managing Application/App Registrations certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'.\n\n   ![AzureApp2 Custom Field - ClientCertificate](docsource/images/AzureApp2-custom-field-ClientCertificate-dialog.png)\n   ![AzureApp2 Custom Field - ClientCertificate](docsource/images/AzureApp2-custom-field-ClientCertificate-validation-options-dialog.png)\n\n\n\n   ###### Client Certificate Password\n   The (optional) password that encrypts the private key in ClientCertificate.  If Client Certificate Auth is not used, you **must** check 'No Value'.\n\n   ![AzureApp2 Custom Field - ClientCertificatePassword](docsource/images/AzureApp2-custom-field-ClientCertificatePassword-dialog.png)\n   ![AzureApp2 Custom Field - ClientCertificatePassword](docsource/images/AzureApp2-custom-field-ClientCertificatePassword-validation-options-dialog.png)\n\n\n\n   ###### Azure Global Cloud Authority Host\n   Specifies the Azure Cloud instance used by the organization.\n\n   ![AzureApp2 Custom Field - AzureCloud](docsource/images/AzureApp2-custom-field-AzureCloud-dialog.png)\n   ![AzureApp2 Custom Field - AzureCloud](docsource/images/AzureApp2-custom-field-AzureCloud-validation-options-dialog.png)\n\n\n\n\n\n   \u003c/details\u003e\n\u003c/details\u003e\n\n### AzureSP2\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n\nThe Azure Enterprise Application/Service Principal certificate operations are implemented by the `AzureSP` store type,\nand supports the management of a single certificate for use in `SSO/SAML` assertion signing. The Management Add operation\nis only supported with the certificate replacement option, since adding a new certificate will replace the existing\ncertificate. The Add operation will also set newly added certificates as the active certificate for `SSO/SAML` usage. The\nManagement Remove operation removes the certificate from the Enterprise Application/Service Principal, which is the same\nas removing the `SSO/SAML` signing certificate. The Discovery operation discovers all Enterprise Applications/Service\nPrincipals in the tenant.\n\n\n\n\n#### Azure Enterprise Application 2 (Service Principal) Requirements\n\nService Principal certificates are typically used for SAML Token signing. Service Principals are created from Enterprise\nApplications and will mostly be configured with a variation of\nMicrosoft's [SAML-based single sign-on](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal)\ndocumentation. For more information on the mechanics of the Service Principal certificate management capabilities,\nplease see the [mechanics](#extension-mechanics) section.\n\n\n\n#### Supported Operations\n\n| Operation    | Is Supported                                                                                                           |\n|--------------|------------------------------------------------------------------------------------------------------------------------|\n| Add          | ✅ Checked        |\n| Remove       | ✅ Checked     |\n| Discovery    | ✅ Checked  |\n| Reenrollment | 🔲 Unchecked |\n| Create       | 🔲 Unchecked     |\n\n#### Store Type Creation\n\n##### Using kfutil:\n`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.\nFor more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)\n   \u003cdetails\u003e\u003csummary\u003eClick to expand AzureSP2 kfutil details\u003c/summary\u003e\n\n   ##### Using online definition from GitHub:\n   This will reach out to GitHub and pull the latest store-type definition\n   ```shell\n   # Azure Enterprise Application 2 (Service Principal)\n   kfutil store-types create AzureSP2\n   ```\n\n   ##### Offline creation using integration-manifest file:\n   If required, it is possible to create store types from the [integration-manifest.json](./integration-manifest.json) included in this repo.\n   You would first download the [integration-manifest.json](./integration-manifest.json) and then run the following command\n   in your offline environment.\n   ```shell\n   kfutil store-types create --from-file integration-manifest.json\n   ```\n   \u003c/details\u003e\n\n\n#### Manual Creation\nBelow are instructions on how to create the AzureSP2 store type manually in\nthe Keyfactor Command Portal\n   \u003cdetails\u003e\u003csummary\u003eClick to expand manual AzureSP2 details\u003c/summary\u003e\n\n   Create a store type called `AzureSP2` with the attributes in the tables below:\n\n   ##### Basic Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Name | Azure Enterprise Application 2 (Service Principal) | Display name for the store type (may be customized) |\n   | Short Name | AzureSP2 | Short display name for the store type |\n   | Capability | AzureSP2 | Store type name orchestrator will register with. Check the box to allow entry of value |\n   | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |\n   | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |\n   | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |\n   | Supports Reenrollment | 🔲 Unchecked |  Indicates that the Store Type supports Reenrollment |\n   | Supports Create | 🔲 Unchecked |  Indicates that the Store Type supports store creation |\n   | Needs Server | ✅ Checked | Determines if a target server name is required when creating store |\n   | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |\n   | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |\n   | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |\n   | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. |\n\n   The Basic tab should look like this:\n\n   ![AzureSP2 Basic Tab](docsource/images/AzureSP2-basic-store-type-dialog.png)\n\n   ##### Advanced Tab\n   | Attribute | Value | Description |\n   | --------- | ----- | ----- |\n   | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |\n   | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |\n   | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |\n\n   The Advanced tab should look like this:\n\n   ![AzureSP2 Advanced Tab](docsource/images/AzureSP2-advanced-store-type-dialog.png)\n\n   \u003e For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.\n\n   ##### Custom Fields Tab\n   Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:\n\n   | Name | Display Name | Description | Type | Default Value/Options | Required |\n   | ---- | ------------ | ---- | --------------------- | -------- | ----------- |\n   | ServerUsername | Server Username | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. | Secret |  | ✅ Checked |\n   | ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. If Client Certificate Auth is used, you **must** check 'No Value'. | Secret |  | 🔲 Unchecked |\n   | ClientCertificate | Client Certificate | The client certificate used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. | Secret |  | 🔲 Unchecked |\n   | ClientCertificatePassword | Client Certificate Password | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used or the certificate's private key is not encrypted, you **must** check 'No Value'. | Secret |  | 🔲 Unchecked |\n   | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked |\n\n   The Custom Fields tab should look like this:\n\n   ![AzureSP2 Custom Fields Tab](docsource/images/AzureSP2-custom-fields-store-type-dialog.png)\n\n\n   ###### Server Username\n   The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Server Password\n   A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. If Client Certificate Auth is used, you **must** check 'No Value'.\n\n\n   \u003e [!IMPORTANT]\n   \u003e This field is created by the `Needs Server` on the Basic tab, do not create this field manually.\n\n\n\n\n   ###### Client Certificate\n   The client certificate used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'.\n\n   ![AzureSP2 Custom Field - ClientCertificate](docsource/images/AzureSP2-custom-field-ClientCertificate-dialog.png)\n   ![AzureSP2 Custom Field - ClientCertificate](docsource/images/AzureSP2-custom-field-ClientCertificate-validation-options-dialog.png)\n\n\n\n   ###### Client Certificate Password\n   The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used or the certificate's private key is not encrypted, you **must** check 'No Value'.\n\n   ![AzureSP2 Custom Field - ClientCertificatePassword](docsource/images/AzureSP2-custom-field-ClientCertificatePassword-dialog.png)\n   ![AzureSP2 Custom Field - ClientCertificatePassword](docsource/images/AzureSP2-custom-field-ClientCertificatePassword-validation-options-dialog.png)\n\n\n\n   ###### Azure Global Cloud Authority Host\n   Specifies the Azure Cloud instance used by the organization.\n\n   ![AzureSP2 Custom Field - AzureCloud](docsource/images/AzureSP2-custom-field-AzureCloud-dialog.png)\n   ![AzureSP2 Custom Field - AzureCloud](docsource/images/AzureSP2-custom-field-AzureCloud-validation-options-dialog.png)\n\n\n\n\n\n   \u003c/details\u003e\n\u003c/details\u003e\n\n\n## Installation\n\n1. **Download the latest Azure App Registration and Enterprise Application Universal Orchestrator extension from GitHub.**\n\n    Navigate to the [Azure App Registration and Enterprise Application Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/azure-application-orchestrator/releases/latest). Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive.\n\n   | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `azure-application-orchestrator` .NET version to download |\n   | --------- | ----------- | ----------- | ----------- |\n   | Older than `11.0.0` | | | `net6.0` |\n   | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` |\n   | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` || Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` |\n   | `11.6` _and_ newer | `net8.0` | | `net8.0` | \n\n    Unzip the archive containing extension assemblies to a known location.\n\n    \u003e **Note** If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for `net6.0`.\n\n2. **Locate the Universal Orchestrator extensions directory.**\n\n    * **Default on Windows** - `C:\\Program Files\\Keyfactor\\Keyfactor Orchestrator\\extensions`\n    * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions`\n\n3. **Create a new directory for the Azure App Registration and Enterprise Application Universal Orchestrator extension inside the extensions directory.**\n\n    Create a new directory called `azure-application-orchestrator`.\n    \u003e The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.\n\n4. **Copy the contents of the downloaded and unzipped assemblies from __step 2__ to the `azure-application-orchestrator` directory.**\n\n5. **Restart the Universal Orchestrator service.**\n\n    Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm).\n\n\n6. **(optional) PAM Integration**\n\n    The Azure App Registration and Enterprise Application Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.\n\n    To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).\n\n\n\u003e The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions).\n\n\n\n## Defining Certificate Stores\n\nThe Azure App Registration and Enterprise Application Universal Orchestrator extension implements 4 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.\n\n\u003cdetails\u003e\u003csummary\u003eAzure App Registration (Application) (AzureApp)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n    Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n    Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n   | Attribute | Description                                             |\n   | --------- |---------------------------------------------------------|\n   | Category | Select \"Azure App Registration (Application)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. |\n   | Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureApp` certificates. Specifically, one with the `AzureApp` capability. |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |\n   | AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n   | ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the AzureApp certificate store**\n\n    ```shell\n    kfutil stores import generate-template --store-type-name AzureApp --outpath AzureApp.csv\n    ```\n2. **Populate the generated CSV file**\n\n    Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | Category | Select \"Azure App Registration (Application)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. |\n   | Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureApp` certificates. Specifically, one with the `AzureApp` capability. |\n   | Properties.ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |\n   | Properties.ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |\n   | Properties.ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |\n   | Properties.AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n   | Properties.ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |\n\n3. **Import the CSV file to create the certificate stores**\n\n    ```shell\n    kfutil stores import csv --store-type-name AzureApp --file AzureApp.csv\n    ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eAzure Enterprise Application (Service Principal) (AzureSP)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n    Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n    Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n   | Attribute | Description                                             |\n   | --------- |---------------------------------------------------------|\n   | Category | Select \"Azure Enterprise Application (Service Principal)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. |\n   | Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureSP` certificates. Specifically, one with the `AzureSP` capability. |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |\n   | AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n   | ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the AzureSP certificate store**\n\n    ```shell\n    kfutil stores import generate-template --store-type-name AzureSP --outpath AzureSP.csv\n    ```\n2. **Populate the generated CSV file**\n\n    Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | Category | Select \"Azure Enterprise Application (Service Principal)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. |\n   | Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureSP` certificates. Specifically, one with the `AzureSP` capability. |\n   | Properties.ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |\n   | Properties.ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |\n   | Properties.ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |\n   | Properties.AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n   | Properties.ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. |\n\n3. **Import the CSV file to create the certificate stores**\n\n    ```shell\n    kfutil stores import csv --store-type-name AzureSP --file AzureSP.csv\n    ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate. If Client Cert Auth is used _and_ the Client Certificate's private key is not encrypted, you **must** select 'No Value' for this field. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** select 'No Value' for this field. |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eAzure App Registration 2 (Application) (AzureApp2)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n    Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n    Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n   | Attribute | Description                                             |\n   | --------- |---------------------------------------------------------|\n   | Category | Select \"Azure App Registration 2 (Application)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID where the Application is instantiated |\n   | Store Path | The Object ID of the target Application/App Registration that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureApp2` certificates. Specifically, one with the `AzureApp2` capability. |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/App Registration certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/App Registration certificates. If Client Certificate Auth is used, you **must** select 'No Value'. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/App Registrations certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | ClientCertificatePassword | The (optional) password that encrypts the private key in ClientCertificate.  If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the AzureApp2 certificate store**\n\n    ```shell\n    kfutil stores import generate-template --store-type-name AzureApp2 --outpath AzureApp2.csv\n    ```\n2. **Populate the generated CSV file**\n\n    Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | Category | Select \"Azure App Registration 2 (Application)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID where the Application is instantiated |\n   | Store Path | The Object ID of the target Application/App Registration that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureApp2` certificates. Specifically, one with the `AzureApp2` capability. |\n   | Properties.ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/App Registration certificates. |\n   | Properties.ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/App Registration certificates. If Client Certificate Auth is used, you **must** select 'No Value'. |\n   | Properties.ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/App Registrations certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | Properties.ClientCertificatePassword | The (optional) password that encrypts the private key in ClientCertificate.  If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | Properties.AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n\n3. **Import the CSV file to create the certificate stores**\n\n    ```shell\n    kfutil stores import csv --store-type-name AzureApp2 --file AzureApp2.csv\n    ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/App Registration certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/App Registration certificates. If Client Certificate Auth is used, you **must** select 'No Value'. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/App Registrations certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | ClientCertificatePassword | The (optional) password that encrypts the private key in ClientCertificate.  If Client Certificate Auth is not used, you **must** check 'No Value'. |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003eAzure Enterprise Application 2 (Service Principal) (AzureSP2)\u003c/summary\u003e\n\n\n### Store Creation\n\n#### Manually with the Command UI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.**\n\n    Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_.\n\n2. **Add a Certificate Store.**\n\n    Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.\n\n   | Attribute | Description                                             |\n   | --------- |---------------------------------------------------------|\n   | Category | Select \"Azure Enterprise Application 2 (Service Principal)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID where the Service Principal is instantiated |\n   | Store Path | The Object ID of the target Service Principal/Enterprise Application that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureSP2` certificates. Specifically, one with the `AzureSP2` capability. |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. If Client Certificate Auth is used, you **must** check 'No Value'. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | ClientCertificatePassword | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used or the certificate's private key is not encrypted, you **must** check 'No Value'. |\n   | AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n\n\u003c/details\u003e\n\n\n\n#### Using kfutil CLI\n\n\u003cdetails\u003e\u003csummary\u003eClick to expand details\u003c/summary\u003e\n\n1. **Generate a CSV template for the AzureSP2 certificate store**\n\n    ```shell\n    kfutil stores import generate-template --store-type-name AzureSP2 --outpath AzureSP2.csv\n    ```\n2. **Populate the generated CSV file**\n\n    Open the CSV file, and reference the table below to populate parameters for each **Attribute**.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | Category | Select \"Azure Enterprise Application 2 (Service Principal)\" or the customized certificate store name from the previous step. |\n   | Container | Optional container to associate certificate store with. |\n   | Client Machine | The Azure Tenant (directory) ID where the Service Principal is instantiated |\n   | Store Path | The Object ID of the target Service Principal/Enterprise Application that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. |\n   | Orchestrator | Select an approved orchestrator capable of managing `AzureSP2` certificates. Specifically, one with the `AzureSP2` capability. |\n   | Properties.ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. |\n   | Properties.ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. If Client Certificate Auth is used, you **must** check 'No Value'. |\n   | Properties.ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | Properties.ClientCertificatePassword | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used or the certificate's private key is not encrypted, you **must** check 'No Value'. |\n   | Properties.AzureCloud | Specifies the Azure Cloud instance used by the organization. |\n\n3. **Import the CSV file to create the certificate stores**\n\n    ```shell\n    kfutil stores import csv --store-type-name AzureSP2 --file AzureSP2.csv\n    ```\n\n\u003c/details\u003e\n\n\n#### PAM Provider Eligible Fields\n\u003cdetails\u003e\u003csummary\u003eAttributes eligible for retrieval by a PAM Provider on the Universal Orchestrator\u003c/summary\u003e\n\nIf a PAM provider was installed _on the Universal Orchestrator_ in the [Installation](#Installation) section, the following parameters can be configured for retrieval _on the Universal Orchestrator_.\n\n   | Attribute | Description |\n   | --------- | ----------- |\n   | ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. |\n   | ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. If Client Certificate Auth is used, you **must** check 'No Value'. |\n   | ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Service Principal/Enterprise Application certificates. See the [requirements](#client-certificate-or-client-secret) for more information. If Client Certificate Auth is not used, you **must** check 'No Value'. |\n   | ClientCertificatePassword | The (optional) password that encrypts the private key in ClientCertificate. If Client Certificate Auth is not used or the certificate's private key is not encrypted, you **must** check 'No Value'. |\n\nPlease refer to the **Universal Orchestrator (remote)** usage section ([PAM providers on the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam)) for your selected PAM provider for instructions on how to load attributes orchestrator-side.\n\u003e Any secret can be rendered by a PAM provider _installed on the Keyfactor Command server_. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.\n\n\u003c/details\u003e\n\n\n\u003e The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).\n\n\n\u003c/details\u003e\n\n## Discovering Certificate Stores with the Discovery Job\nDiscovery for all four Certificate Store Types implemented by the Azure App Registration and Enterprise\nApplication Orchestrator extension returns Store Paths in the format `\u003cguid\u003e (\u003cfriendly name\u003e)`. When defining\nCertificate Stores manually, you may elect to follow this format, or use the standard `\u003cguid\u003e` for the Store Path.\n\nThe Discovery operation discovers all Azure App Registrations that the Service Principal has access to. The discovered\nApp Registrations (specifically, their Application IDs) are reported back to Command and can be easily added as\ncertificate stores from the Locations tab.\n\nThe Discovery operation uses the \"Directories to search\" field and accepts input in one of the following formats:\n\n- `*` - If the asterisk symbol `*` is used, the extension will search for all Azure App Registrations that the Service\n  Principal has access to, but only in the tenant that the discovery job was configured for as specified by the \"Client\n  Machine\" field in the certificate store configuration.\n- `\u003ctenant-id\u003e,\u003ctenant-id\u003e,...` - If a comma-separated list of tenant IDs is used, the extension will search for all\n  Azure App Registrations available in each tenant specified in the list. The tenant IDs should be the GUIDs associated\n  with each tenant, and it's the user's responsibility to ensure that the service principal has access to the specified\n  tenants.\n\n\n\n\n\n\n\n\n## License\n\nApache License 2.0, see [LICENSE](LICENSE).\n\n## Related Integrations\n\nSee all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fazure-application-orchestrator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeyfactor%2Fazure-application-orchestrator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fazure-application-orchestrator/lists"}