Microsoft Entra certificate-based authentication enables you to authenticate with X.509 certificates against Microsoft Entra ID .
This enables you to adopt a phishing resistant authentication and authenticate with an X.509 certificate against your Enterprise Public Key Infrastructure (PKI).
Below is a detailed step-by-step guide that explains:
- How to create a self signed certificate in PowerShell
- How to install a certificate on the local computer and avoid all the common mistakes
- How to create an Entra ID App and link it to your certificate.
- How to configure SharePoint Online permissions for the Entra ID App
Create a self signed certificate in using PowerShell. |
---|
Use PowerShell.exe/ISE as administrator and run the below script. Remember to update the script with you own info.
Important: Please note that cert:\LocalMachine\My must remain unchanged. |
# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "migratedms.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange -KeyFriendlyName MyKeyName -FriendlyName MyName
# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath c:\dev\MyCert.pfx -Password $(ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)
# Export certificate to .cer file
$mycert | Export-Certificate -FilePath c:\dev\MyCert.cer
If you want to use the exported certificate file (mycert.pfx) directly without installing it on the computer, you can skip to the section Create an Entra ID App |
.
Install your self signed certificate (You must have local admin permissions on the machine.) |
---|
|
|
|
|
|
Run the Windows Management Console (MMC) and configure it to manage Certificates |
|
|
|
Set up the user for the certificate. Otherwise the certificate will not work after reboot |
|
|
|
.
Create an Entra ID App |
---|
|
|
|
|
|
|
|
Now the certificate has been registered. But permissions must be added |
|
|
|
|
|
Restricted API permissions
You can use Sites.Selected
in both the Graph and the SharePoint section to make a much more restricted access. Sites.Selected Permissions what is it, and how do I use it
Read AD user names etc.
You can access M365 user information in AD (such as display name, department, etc.) using the virtual list Tenant users
. Filters: When using the =
operator or the IN
operator, a server-side filter is applied, optimizing performance for tenants with many users (>3000). Other filters, such as BeginsWith
or Contains
, are evaluated client-side.
To use the virtual list Tenant users
, ensure that you have the necessary App Registration with Graph API permissions: either User.Read.All
or User.ReadBasic.All
, depending on the specific columns you need to access.
The “Microsoft Graph” permissions are required for :
- Access files larger than > 2 GB
- Read users and groups in the tenant for easier visual mapping of users.