Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / PowerShell / PowerShell: Configure Certificate-Based Authentication for Exchange Online (Azure)

March 17, 2024

PowerShell: Configure Certificate-Based Authentication for Exchange Online (Azure)

Microsoft Entra ID (ex Azure AD) supports Certificate Based Authentication (CBA). This means that you can use certificate authentication to automatically run your PowerShell scripts with no password entry and without using Azure MFA. With certificate-based auth, you no longer need to worry about securely storing passwords in PowerShell scripts or using third-party vault storage through the SecretManagement module.

Here is how to use certificates for authentication from your PowerShell scripts against Microsoft Entra ID (Azure AD) and Exchange Online.

You must first create a certificate and install it on your computer. You can obtain a certificate from your CA or issue a self-signed certificate. In this example, we will create a self-signed certificate by using the New-SelfSignedCertificate cmdlet.

Generate a self-signed certificate with a 3-year validity period:

$certvalid = (Get-Date).AddYears(3)
$newcert = New-SelfSignedCertificate -DnsName "pre_prod.woshub.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter $certvalid -KeySpec KeyExchange -FriendlyName "Azure Microsoft Entra ID PowerShell Auth cert"
$newcert|fl Subject,Thumbprint,NotBefore,NotAfter

Copy the value of the certificate thumbprint.

Create a self signed certificate for Azure

Then export the certificate to the CER and PFX files:

$newcert | Export-Certificate -FilePath "C:\PS\azure-auth.cer"
$newcert | Export-PfxCertificate -FilePath "C:\PS\azure-auth.pfx" -Password $(ConvertTo-SecureString -String "S3dPswrd@123" -AsPlainText -Force)

Now you need to create an application in Azure Microsoft Entra:

  1. Sign in to Azure Portal and go to Microsoft Entra ID -> App registrations -> New registration;
  2. Specify the app name (testCertAuthPowerShell), select Accounts in this organizational directory only (Single tenant), and click Register;
  3. Copy the Application (client ID) value; Create an App in Entra ID
  4. Then assign permissions for your app. Go to API permissions -> Add a permission. In this example, we will grant permissions to manage the Exchange Online configuration (APIs my organization uses -> Office 365 Exchange Online) Azure -> Application permissions -> Exchange.ManageAsApp -> Add permissions -> Grant admin consent); Assign API permissions for Azure app
  5. Then go to Certificates and secrets and upload a self-signed certificate file from your computer; Import certificate to Azure app registration
  6. Next, assign the Exchange Administrator role to your app. Go to Azure Active Directory -> Roles and administrators -> select the Exchange Administrator role -> Add Assignments -> Select your app from the list (testCertAuthPowerShell). Assig Exchange admin permissions for Azure Entra ID app

Once that’s done, you can try to connect to Exchange Online from a PowerShell script on your computer by using the certificate. Note that in this example, the Exchange Online PowerShell module (EXO) is already installed on the computer.

You will need the values of the following variables (the ones you copied earlier):

$certThumbprint = "9CF05589A4B29BECEE6456F08A76EBC3DC2BC581"
$AzureAppID = "111111-2222-3333-4444-123456789"
$tenant="woshub.onmicrosoft.com"

Now you can connect to the Exchange Online tenant using the certificate:

Connect-ExchangeOnline -AppId $AzureAppID -CertificateThumbprint $certThumbprint -Organization $tenant

Using Exchange Online Certificate-Based Authentication with PowerShell

There will be no password prompt and no Modern Authentication form when you connect to the Microsoft Entra ID.

List mailboxes in your Exchange tenant:

Get-EXOMailbox

Remember to add a command to disconnect the Exchange Online session at the end of your PowerShell script:

Disconnect-ExchangeOnline -Confirm:$false

Similarly, you can configure certificate-based auth for other Microsoft 365 services as well. The important thing here is to properly assign permissions for your Azure app.

For example, if you are using the Teams PowerShell module, you would run the following command to authenticate with a certificate:

Connect-MicrosoftTeams -CertificateThumbprint $certThumbprint -ApplicationId $AzureAppID -TenantId $tenant

PowerShell: Microsoft Entra certificate-based authentication in Teams

To use the Azure AD PowerShell module with a certificate to connect to Microsoft Entra ID:

Connect-AzureAD -TenantId $tenant -ApplicationId $AzureAppID -CertificateThumbprint $certThumbprint

Learn more about creating apps in Azure, assigning permissions, and using the Microsoft Graph API in PowerShell.

Besides, you can import a certificate to another Windows host using a PFX file containing a password-protected private key. Use the Certificates MMC snap-in or PowerShell to import the certificate:

$password = ConvertTo-SecureString -String "S3dPswrd@123" -Force -AsPlainText
Import-PfxCertificate -Password $password -FilePath "C:\PS\azure-auth.pfx" -CertStoreLocation Cert:\CurrentUser\My

You can then use Azure certificate-based authentication in PowerShell scripts on that computer.

1 comment
6
Facebook Twitter Google + Pinterest
Azure and Microsoft 365ExchangePowerShell
previous post
Reset Root Password in VMware ESXi
next post
Tracking Printer Usage with Windows Event Viewer Logs

Related Reading

Wi-Fi (Internet) Disconnects After Sleep or Hibernation on...

March 15, 2024

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

How to Install Remote Server Administration Tools (RSAT)...

March 17, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

Managing Windows Firewall Rules with PowerShell

March 11, 2024

How to Install and Configure Free Hyper-V Server...

March 16, 2024

How to Force Remove a Printer That Won’t...

March 15, 2024

1 comment

Janek January 26, 2024 - 5:48 pm

you did not mention what redirection URIs you indicated (I set localhost), in addition, I keep getting the error message: Get-MgUserCalendarView : Access is denied. Check credentials and try again.

executes the command as global admin

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Outlook Keeps Asking for Password on Windows
  • Checking User Sign-in Logs in Entra ID (Microsoft 365)
  • How to Manually Configure Exchange or Microsoft 365 Account in Outlook 365/2019/2016
  • Search and Delete Emails from User Mailboxes on Exchange Server (Microsoft 365) with PowerShell
  • Fix: Microsoft Outlook Search Not Working on Windows 10/11
  • Configuring Password Policy in Microsoft Entra ID
  • Blank Sign-in Screen in Office 365 Apps (Outlook, Teams, etc.)
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top