Azure AD certificate-based authentication enables you to authenticate with X.509 certificates against Azure Active Directory (Azure AD).
This enables you to adopt a phishing resistant authentication and authenticate with an X.509 certificate against your Enterprise Public Key Infrastructure (PKI).
Below is a detailed step-by-step guide that explains:
- How to create a self signed certificate in PowerShell
- How to install a certificate on the local computer and avoid all the common mistakes
- How to create an Azure AD App and link it to your certificate.
- How to configure SharePoint Online permissions for the Azure AD App
Create a self signed certificate in using PowerShell. |
---|
Use PowerShell.exe/ISE as administrator and run the below script. Remember to update the script with you own info.
Important: Please note that cert:\LocalMachine\My must remain unchanged. |
# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "migratedms.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange -KeyFriendlyName MyKeyName -FriendlyName MyName
# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath c:\dev\MyCert.pfx -Password $(ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)
# Export certificate to .cer file
$mycert | Export-Certificate -FilePath c:\dev\MyCert.cer
If you want to use the exported certificate file (mycert.pfx) directly without installing it on the computer, you can skip to the section Create an Azure AD App |
.
Install your self signed certificate (You must have local admin permissions on the machine.) |
---|
|
|
|
|
|
Run the Windows Management Console (MMC) and configure it to manage Certificates |
|
|
|
Set up the user for the certificate. Otherwise the certificate will not work after reboot |
|
|
|
.
Create an Azure AD App |
---|
|
|
|
|
|
|
|
Now the certificate has been registered. But permissions must be added |
|
|
|
|
|
Last modified:
15 September 2023