
function Set-AzAppSvcCert {
    Updates an Azure App Service SSL binding to use the specified certificate
    Compares the current certificate used by the binding to the specified certificate (based on thumbprint).
    Updates SSL binding certificate if thumbprint different.
    $True if binding was updated. $False if binding was not updated.
    Set-AzAppSvcCert -Certificate $pfxCert `
        -ResourceGroupName MyAzRG `
        -WebAppName api-example-site `
        -SslBindingName `
        -PfxPassword "234SECRETbc123" `
        -TenantId "853984-34534-45345-3453453" `
        -AppId "123-34234-23424" `
        -AppSecret "app-secret"
    Updates the Azure App Service SSL binding to use the specified certificate.

    param (
        [Parameter(ValueFromPipeline = $true, Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        [Parameter(Mandatory = $true)]
        $AzureCloud = "AzureCloud"

    $isPem = $Certificate.StartsWith("-----BEGIN CERTIFICATE-----")
    if ($isPem) {
        throw "PEM format not supported"
    # Make sure we have the Az PS module imported
    Ensure-Module Az.Websites

    # Connect to Azure using Service Pricipal
    $connectToAzure = $true
    try {
        # Check if already logged in
        $exitingServicePrincipalId = (Get-AzContext).Account.Id
        $connectToAzure = $exitingServicePrincipalId -ne $AppId
    catch {}
    if ($connectToAzure) {
        $password = ConvertTo-SecureString $AppSecret -AsPlainText -Force
        $credentials = New-Object System.Management.Automation.PSCredential($AppId, $password)
        Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant $TenantId -Environment $AzureCloud
    $currentSslBinding = Get-AzWebAppSSLBinding -ResourceGroupName $ResourceGroupName `
        -WebAppName $WebAppName `
        -Name $SslBindingName

    $bytes = [Convert]::FromBase64String($Certificate)
    $xCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
    $xCert.Import($bytes, $PfxPassword, "DefaultKeySet")
    $thumbprint = ($xCert.Thumbprint | select -last 1)
    $updateCert = $True
    if ($currentSslBinding) {
        # Compare thumbprint
        #$updateCert = @(Compare-Object $currentSslBinding.Thumbprint $xCert.Thumbprint).length -ne 0
        $updateCert = $currentSslBinding.Thumbprint -ne ($xCert.Thumbprint | select -last 1)

    if ($updateCert) {
        Write-Host "Binding thumbprint $($currentSslBinding.Thumbprint) does not match available thumbprint $thumbprint"
        $tempFile = New-TemporaryFile
        try {
            # Save cert to temp location that will be deleted after
            [IO.File]::WriteAllBytes($tempFile, $bytes)

            New-AzWebAppSSLBinding -ResourceGroupName $ResourceGroupName -WebAppName $WebAppName -Name $SslBindingName `
                -CertificateFilePath $tempFile `
                -CertificatePassword $PfxPassword
                -ErrorAction Continue
        finally {
            Remove-Item $tempFile
    else {
        Write-Host "Binding certificate same as available certificate"

    return $updateCert

function Ensure-Module {
        [string] $mod
    $m = Get-Module -Name $mod
    if($m -eq $null)
        Write-Host "$mod not imported"
        $module = Get-InstalledModule $mod -ea SilentlyContinue
        if ($module -eq $null)
            Write-Host "$mod not installed. Installing..."
            Install-Module $mod -Force -AllowClobber
        Write-Host "Importing $mod"
        Import-Module $mod -Scope Global