Which two actions should you perform?

You have an Azure Stack Hub integrated system that is disconnected from the internet.

The integrated system has an Azure App Service resource provider.

You generate a new certificate.

You need to rotate the certificate of the App Service identity application to use the new certificate.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A . From the administrator portal, get the value of the default provider subscription object ID.
B. From a privileged endpoint (PEP) session, run the Export-Cercificace cmdlet. and then run the Import-Certificace cmdlet
C. From a privileged endpoint (PEP) session, run the New-Object cmdlet. and then run the import-PfxCertificace cmdlet
D. From a privileged endpoint (PEP) session, run the New-Objecc cmdlet, and then run the Sec-GraphApplicacion cmdlet
E. From the administrator portal, get the value of the AzureStack-AppService object ID.

View Answer

Answer: D,E

Explanation:

Your choice of either Azure AD or AD FS is determined by the mode in which you deploy

Azure Stack Hub:

When you deploy it in a connected mode, you can use either Azure AD or AD FS.

When you deploy it in a disconnected mode, without a connection to the internet, only AD FS is supported.

E:

Rotate certificate for AD FS identity application

The identity application is created by the operator before deployment of Azure App Service on Azure Stack Hub. If the application’s object ID is unknown, follow these steps to discover it:

✑ Go to the Azure Stack Hub administrator portal.

✑ Go to Subscriptions and select Default Provider Subscription.

✑ Select Access Control (IAM) and select the AzureStack-AppService-<guid> application.

✑ Take a note of the Object ID, this value is the ID of the Service Principal that must be updated in AD FS.

D: To rotate the certificate for the application in AD FS, you need to have access to the privileged endpoint (PEP). Then you update the certificate credential using PowerShell.

# Sign in to PowerShell interactively, using credentials that have access to the VM running the Privileged Endpoint

$Creds = Get-Credential

# Create a new Certificate object from the identity application certificate exported as .cer file

$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<CertificateFileLocation >")

# Create a new PSSession to the PrivelegedEndpoint VM

$Session = New-PSSession -ComputerName "<PepVm>" -ConfigurationName PrivilegedEndpoint -Credential $Creds -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US)

# Use the privileged endpoint to update the certificate thumbprint, used by the service principal associated with the App Service identity application

$SpObject = Invoke-Command -Session $Session -ScriptBlock {Set-GraphApplication – ApplicationIdentifier "<ApplicationObjectId>" -ClientCertificates $using:Cert} $Session | Remove-PSSession

# Output the updated service principal details

$SpObject

Reference:

https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-identity-overview

https://learn.microsoft.com/en-us/azure-stack/operator/app-service-rotate-certificates