Microsoft Entra certificate-based authentication enables you to authenticate with X.509 certificates against Microsoft Entra ID .
This enables you to adopt a phishing resistant authentication and authenticate with an X.509 certificate against your Enterprise Public Key Infrastructure (PKI).

Below is a detailed step-by-step guide that explains:

  • How to create a self signed certificate in PowerShell
  • How to install a certificate on the local computer and avoid all the common mistakes
  • How to create an Entra ID App and link it to your certificate.
  • How to configure SharePoint Online permissions for the Entra ID App
Create a self signed certificate in using PowerShell.
Use PowerShell.exe/ISE as administrator and run the below script. Remember to update the script with you own info. Important: Please note that cert:\LocalMachine\My must remain unchanged.
# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange -KeyFriendlyName MyKeyName -FriendlyName MyName

# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath c:\dev\MyCert.pfx -Password $(ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)

# Export certificate to .cer file
$mycert | Export-Certificate -FilePath c:\dev\MyCert.cer
If you want to use the exported certificate file (mycert.pfx) directly without installing it on the computer, you can skip to the section Create an Entra ID App


Install your self signed certificate (You must have local admin permissions on the machine.)
  • Double click on the .PFX file and select “Local machine” (Next)
  • Click next to the selected file (the one you double clicked.
  • Supply the password that you decided to use when creating the PFX from the PowerShell sample. (Next)
  • Accept the default to “Automatically select …” (Next)
  • Click Finish and you are done.
Run the Windows Management Console (MMC) and configure it to manage Certificates
  • To manage certificated go to the “File” menu “Add/remove Snap-in”
  • Add the “Certificates Snap-in” and then select “Computer account” (Next)
  • Select “Local computer”. (Finish) + (Ok)
Set up the user for the certificate. Otherwise the certificate will not work after reboot
  • Navigate to “Certificates\Personal\Certificates” and locate your newly installed certificate.
  • R-click it and select “All Tasks\Manage private keys”
  • Then add the admin user.


Create an Entra ID App
  • Go the the Azure portal and select “Azure Active Directory/Microsoft Entra ID”
  • Make a note of your “Tenant ID” as you need that to authenticate in combination with the “Thumbprint” that you will get later in this guide.
  • Select “App registrations”
  • Make a “new registration” if you do not already have one. (use the defaults)
  • Locate the “Client credential” (Top right) and click the link “Add a certificate or secret”
  • Select “Certificates” and click the “Upload certificate” button.
    Then select your certificate .cer file and click “Add”
  • Make a note of the “Thumbprint” and the Application (client) ID as this is what you need later on to authenticate
Now the certificate has been registered. But permissions must be added
  • Click the “API Permissions” link (left panel)
  • Click “Add a permission” and select “SharePoint”
  • Click “Application permissions”
  • Make decision to select the permissions you need. In all cases you need “TermStore.Read.All”, TermStore.ReadWrite.All, User.Read.All
    To have access to all sites select Sites.FullControl.All
  • Finally you need to grant consent. Click “Grant admin consent for My Organization”

Last modified: 6 February 2024