Certificate-based authentication for Microsoft Graph PowerShell enables you to authenticate to Microsoft Graph and run PowerShell scripts in the application context without having to store or retrieve a client secret.
This can be beneficial in scenarios where you need to run a script from a privileged device but do not want to store a client secret within the code. Scenarios may include running a script from a privileged devices, or using Azure Automation.
In this tutorial, I am going to show you how to use certificate-based authentication with Microsoft Graph PowerShell.
Scenario
In this scenario, I use an Azure Automation Runbook in my primary tenant (Tenant 2). I need to authenticate to Microsoft Graph in another tenant (Tenant 1) using PowerShell to manage resources.
For this use case, I will use certificate-based authentication with Microsoft Graph PowerShell.
Create a new self-signed certificate
You first need to generate a new self-signed certificate on your local workstation. When you do this, the private key is also stored on your local device. This can be removed once you are done.
The below command will create a new certificate named AzureAutomation that will expire in 12 months.
$certname = "AzureAutomation"
$cert = New-SelfSignedCertificate -Subject "CN=$certname" `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-KeyLength 2048 `
-KeyAlgorithm RSA -HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddMonths(12)
To export the certificate without the private key (to upload to your application in Microsoft Entra), use the below command and change the path as desired.
Export-Certificate -Cert $cert -FilePath "C:\cert\$certname.cer"
To export the certificate with the private key (to upload to your Automation Account), use the below command and change the path as desired. Ensure you change the password I have specified below!
$mypwd = ConvertTo-SecureString -String "Password123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "C:\cert\$certname.pfx" -Password $mypwd
Once the files are exported, you can remove the certificate from the device is was created on.
$cer = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -Match "$certname"} | Select-Object Thumbprint, FriendlyName
Remove-Item -Path Cert:\CurrentUser\My\$($cer.Thumbprint) -DeleteKey
Create a new app registration
You will need to create a new app registration in Microsoft Entra; this will facilitate access to Microsoft Graph resources in the destination tenant (or tenant 1).
Follow the below steps to create a new app registration and assign the necessary permission.
2. Enter a name and click Register.
Assign Graph API permissions
You can now assign the required permissions to the application. I will assign the groups.readwrite.all permission.
2. Click Add a permission.
3. Select Microsoft Graph > Application Permissions.
4. Find your required permission and click Add.
Upload the public certificate
You will now need to upload the public certificate you exported in .cer format to the application.
1. Under Manage, select Certificates & secrets.
2. Click Certificates > Upload certificate, then upload your certificate. Mine was named AzureAutomation.cer.
Upload the private key to your Azure Automation Account
At this stage, the application in tenant one has been prepared, and you now need to upload the certificate with the private key to the Azure Automation Account in tenant 2.
1. Log in to the portal.azure.com
2. Find your Automation Account and open it.
3. Under Shared resources, select Certificates.
4. Click Add a certificate, then define a name for the certificate and upload the .pfx file you previously exported. You will be prompted for the password you specified when you created the certificate.
Connect to Microsoft Graph with Certificate-based authentication
Now both resources have been prepared, you can now use the necessary connection commands to authentication to Microsoft Graph PowerShell in your Runbooks.
Before you go any further! You must import the Microsoft Graph PowerShell modules into your Automation Account. View the steps I have written here.
Copy the below code and add the ClientID and TenantID from the application in tenant one. Get-MgContext is used so you can visually confirm authentication is successful.
$cert = Get-AutomationCertificate -Name 'AzureAutomation'
$ClientID = ""
$TenantID = ""
Connect-MgGraph -ClientID $ClientID `
-TenantId $TenantID `
-CertificateThumbprint $cert.Thumbprint
Get-MgContext
Now paste your code into your Runbook and click Test pane.
Click Start, then when the Runbook completes you should see an output on the screen confirming your have a successful connection.
When the certificate expires, simply create a new certificate and follow the same process to replace it.