How to create & configure Azure AD app

Azure AD certificate-based authentication enables you to authenticate with X.509 certificates against Azure Active Directory (Azure AD).
This enables you to adopt a phishing resistant authentication and authenticate with an X.509 certificate against your Enterprise Public Key Infrastructure (PKI).

Below is a detailed step-by-step guide that explains:

  • How to create a self signed certificate in PowerShell
  • How to install a certificate on the local computer and avoid all the common mistakes
  • How to create an Azure AD App and link it to your certificate.
  • How to configure SharePoint Online permissions for the Azure AD App
Create a self signed certificate in using PowerShell.
Use PowerShell.exe/ISE as administrator and run the below script. Remember to update the script with you own info. Important: Please note that cert:\LocalMachine\My must remain unchanged. 
# Create certificate
$mycert = New-SelfSignedCertificate -DnsName "migratedms.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5) -KeySpec KeyExchange -KeyFriendlyName MyKeyName -FriendlyName MyName

# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath c:\dev\MyCert.pfx -Password $(ConvertTo-SecureString -String "MyPassword" -AsPlainText -Force)

# Export certificate to .cer file
$mycert | Export-Certificate -FilePath c:\dev\MyCert.cer
If you want to use the exported certificate file (mycert.pfx) directly without installing it on the computer, you can skip to the section Create an Azure AD App

.

Install your self signed certificate (You must have local admin permissions on the machine.)
  • Double click on the .PFX file and select “Local machine” (Next)
  • Click next to the selected file (the one you double clicked.
  • Supply the password that you decided to use when creating the PFX from the PowerShell sample. (Next)
  • Accept the default to “Automatically select …” (Next)
  • Click Finish and you are done.
Run the Windows Management Console (MMC) and configure it to manage Certificates
  • To manage certificated go to the “File” menu “Add/remove Snap-in”
  • Add the “Certificates Snap-in” and then select “Computer account” (Next)
  • Select “Local computer”. (Finish) + (Ok)
Set up the user for the certificate. Otherwise the certificate will not work after reboot
  • Navigate to “Certificates\Personal\Certificates” and locate your newly installed certificate.
  • R-click it and select “All Tasks\Manage private keys”
  • Then add the admin user.

.

Create an Azure AD App
  • Go the the Azure portal and select “Azure Active Directory”
  • Make a note of your “Tenant ID” as you need that to authenticate in combination with the “Thumbprint” that you will get later in this guide.
  • Select “App registrations”
  • Make a “new registration” if you do not already have one. (use the defaults)
  • Locate the “Client credential” (Top right) and click the link “Add a certificate or secret”
  • Select “Certificates” and click the “Upload certificate” button.
    Then select your certificate .cer file and click “Add”
  • Make a note of the “Thumbprint” and the Application (client) ID as this is what you need later on to authenticate
Now the certificate has been registered. But permissions must be added
  • Click the “API Permissions” link (left panel)
  • Click “Add a permission” and select “SharePoint”
  • Click “Application permissions”
  • Make decision to select the permissions you need. In all cases you need “TermStore.Read.All”, TermStore.ReadWrite.All, User.Read.All
    To have access to all sites select Sites.FullControl.All
  • Finally you need to grant consent. Click “Grant admin consent for My Organization”
Last modified: 15 September 2023