Microsoft Entra certificate-based authentication enables you to authenticate with X.509 certificates against Microsoft Entra ID .
This enables you to adopt a phishing resistant authentication and authenticate with an X.509 certificate against your Enterprise Public Key Infrastructure (PKI).

Below is a detailed step-by-step guide that explains:

  • How to create a self signed certificate in PowerShell
  • How to install a certificate on the local computer and avoid all the common mistakes
  • How to create an Entra ID App and link it to your certificate.
  • How to configure SharePoint Online permissions for the Entra ID App
Create a self signed certificate in using PowerShell.
Use PowerShell.exe/ISE as administrator and run the below script. Remember to update the script with you own info. Important: Please note that cert:\LocalMachine\My must remain unchanged.
# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "migratedms.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange -KeyFriendlyName MyKeyName -FriendlyName MyName

# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath c:\dev\MyCert.pfx -Password $(ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)

# Export certificate to .cer file
$mycert | Export-Certificate -FilePath c:\dev\MyCert.cer
If you want to use the exported certificate file (mycert.pfx) directly without installing it on the computer, you can skip to the section Create an Entra ID App

.

Install your self signed certificate (You must have local admin permissions on the machine.)
  • Double click on the .PFX file and select “Local machine” (Next)
  • Click next to the selected file (the one you double clicked.
  • Supply the password that you decided to use when creating the PFX from the PowerShell sample. (Next)
  • Accept the default to “Automatically select …” (Next)
  • Click Finish and you are done.
Run the Windows Management Console (MMC) and configure it to manage Certificates
  • To manage certificated go to the “File” menu “Add/remove Snap-in”
  • Add the “Certificates Snap-in” and then select “Computer account” (Next)
  • Select “Local computer”. (Finish) + (Ok)
Set up the user for the certificate. Otherwise the certificate will not work after reboot
  • Navigate to “Certificates\Personal\Certificates” and locate your newly installed certificate.
  • R-click it and select “All Tasks\Manage private keys”
  • Then add the admin user.

.

Create an Entra ID App
  • Go the the Azure portal and select “Azure Active Directory/Microsoft Entra ID”
  • Make a note of your “Tenant ID” as you need that to authenticate in combination with the “Thumbprint” that you will get later in this guide.
  • Select “App registrations”
  • Make a “new registration” if you do not already have one. (use the defaults)
  • Locate the “Client credential” (Top right) and click the link “Add a certificate or secret”
  • Select “Certificates” and click the “Upload certificate” button.
    Then select your certificate .cer file and click “Add”
  • Make a note of the “Thumbprint” and the Application (client) ID as this is what you need later on to authenticate
Now the certificate has been registered. But permissions must be added
  • Click the “API Permissions” link (left panel)
  • Click “Add a permission” and select “SharePoint”
  • Click “Application permissions”
  • Make decision to select the permissions you need. In all cases you need “TermStore.Read.All”, TermStore.ReadWrite.All, User.Read.All
    To have access to all sites select Sites.FullControl.All
  • Finally you need to grant consent. Click “Grant admin consent for My Organization”

Restricted API permissions

You can use Sites.Selected in both the Graph and the SharePoint section to make a much more restricted access. Sites.Selected Permissions what is it, and how do I use it

Read AD user names etc.

You can access M365 user information in AD (such as display name, department, etc.) using the virtual list Tenant users. Filters: When using the = operator or the IN operator, a server-side filter is applied, optimizing performance for tenants with many users (>3000). Other filters, such as BeginsWith or Contains, are evaluated client-side.
To use the virtual list Tenant users, ensure that you have the necessary App Registration with Graph API permissions: either User.Read.All or User.ReadBasic.All, depending on the specific columns you need to access.

The “Microsoft Graph” permissions are required for :

  • Access files larger than > 2 GB
  • Read users and groups in the tenant for easier visual mapping of users.
Last modified: 4 September 2024