Generating Certificates And Configuring Azure Ad Manifests To Authenticate Postman

ByThe SharePoint FAQs Team

Generating Certificates to Authenticate with Azure AD

To enable certificate-based authentication with Azure Active Directory (AD), a self-signed X.509 v3 certificate needs to be created. This certificate will contain a public and private key that allows Postman to authenticate with Azure AD to acquire access tokens for calling the SharePoint REST API.

Creating a Self-Signed Certificate

A self-signed certificate can be generated using the New-SelfSignedCertificate PowerShell cmdlet. This creates a cryptographic key pair containing a private and public key. The following commands create a self-signed certificate stored in the $cert variable:

$cert = New-SelfSignedCertificate `
  -Subject "CN=PostmanClient" `
  -CertStoreLocation "Cert:\CurrentUser\My" `
  -KeyExportPolicy Exportable `
  -KeySpec Signature `
  -KeyLength 2048 `
  -KeyAlgorithm RSA `
  -HashAlgorithm SHA256 `
  -Provider "Microsoft Strong Cryptographic Provider" `
  -NotAfter (Get-Date).AddYears(2) `
  -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3")

This generates a certificate with a private key that can be exported. The certificate is valid for 2 years and can be used for SSL authentication.

Converting the Certificate to Base64 String

To upload the public key to Azure AD, the .CER file needs to be converted to a base64-encoded string. The following PowerShell extracts the base64 string from the certificate:

$cer = Export-Certificate -Cert $cert -FilePath C:\public.cer
$cerFile = Get-Content -Path C:\public.cer
$base64Value = [System.Convert]::ToBase64String($cerFile)

The $base64Value string can now be used to populate the “Public Certificate” field in the Azure AD application manifest.

Uploading the Public Key to Azure AD

In the Azure portal, navigate to the Azure AD app registration and go to the Certificates & secrets section. Click on “+ New certificate” and upload the .CER file extracted previously. This allows Postman to use the certificate for authentication.

Alternatively, use the Microsoft Graph API to upload the base64-encoded public key string programmatically:

POST https://graph.microsoft.com/v1.0/applications/{id}/addPassword

{
  "passwordCredential": {
    "endDate": "2026-01-01T00:00:00Z",
    "keyId": "Custom key ID",
    "startDateTime": "2022-01-01T00:00:00Z",  
    "customKeyIdentifier": "$base64Value",
    "type": "AsymmetricX509Cert"
  }  
}

This adds the certificate to the application for use in Postman.

Configuring the Azure AD Application Manifest

The OAuth2 password grant flow needs to be enabled in the application manifest along with required API permissions. A client secret also needs to be generated.

Enabling OAuth2 Password Grant Flow

By default, the OAuth2 password grant flow is not enabled for Azure AD applications. Using the app manifest editor, set “allowPublicClient” to true under “oauth2AllowUrlPathMatching”:

"oauth2AllowUrlPathMatching": true,  
"allowPublicClient": true

This allows Postman to use password grant authentication with the app.

Adding Required API Permissions

The SharePoint REST API needs to be authorized in the API permissions tab. Click “+ Add a permission” and select “Microsoft Graph”. Then add delegated permissions for:

  • Sites.ReadWrite.All
  • User.Read

This grants the app access to read and write sites in SharePoint to call the REST API.

Configuring a Client Secret

Navigate to the “Certificates & secrets” section and generate a new client secret. Copy this value as it’s need later in Postman to get an access token.

Alternatively, use the Graph API to generate a secret:

POST https://graph.microsoft.com/v1.0/applications/{id}/addPassword

{
   "passwordCredential": {
       "displayName": "Client Secret"
   }
}

Store the auto-generated secret securely for use in Postman.

Using Postman for Authentication

Postman can be configured to authenticate with Azure AD using the OAuth 2.0 password grant flow. Access tokens acquired this way can be used to call the SharePoint REST API.

Generating an Access Token

In Postman, select the Azure Active Directory authorization type. Enter your tenant details along with the Azure AD application ID and client secret generated previously.

This will acquire an access token from Azure AD that is sent automatically with SharePoint REST API requests.

Calling the SharePoint REST API

With the access token, SharePoint REST API endpoints can now be called. For example, get site details:

  
GET https://contoso.sharepoint.com/_api/sites/root

The access token in headers allows data access to the SharePoint REST APIs.

Handling Token Renewal

Access tokens expire after 1 hour. Postman can automatically renew tokens using the refresh token granted during authentication.

To force token renewal, expire the access token and make another SharePoint API call. Postman will refresh using the refresh token silencing access.

Securing the Integration

To maintain secure SharePoint access several steps should be taken when integrating Postman.

Rotating Client Secrets

Client secrets should be rotated once per year to reduce the risk of compromise. Use the Azure portal or Graph API to regenerate secrets.

Update the Postman configuration with newly created secrets to maintain access.

Monitoring Token Usage

Azure AD provides logs for sign-ins and audit events. Monitor these logs to detect misuse of Postman’s automation access.

Alarms can also be configured to notify on anomalous token usage.

Revoking Permissions

If the Postman integration is no longer required, permissions can be revoked by removing API access and certificates.

Deleted secrets and certificates will block access tokens being acquired from Azure AD.

Leave a Reply

Your email address will not be published. Required fields are marked *