PowerShell Profiles MSGraph API

astonpa · August 18, 2023, 4:01pm

I’m moving from an old 2012 server (yes, I know) to a 2022 server for SquaredUp. I’ve copied dashboards over and recreated API connections and PowerShell profiles.

I’ve got a dashboard that pulls licensing information for our M365 tenancies via an AAD application and a PowerShell script that runs in a tile on a dashboard.
I can Connect-MgGraph -ClientID xxxx -TenantId xxxx -CertificateThumbprint xxxx in PowerShell on the new SquaredUp server, but using that in a PowerShell Profile on the same server doesn’t work. I get ‘ClientCertificateCredential authentication failed: Invalid provider type specified.’

On the AAD app, it has the certificate from the old SqUp server and also the new SqUp server.

What am I missing?

pchip · August 21, 2023, 8:16pm

Offhand (never used this), are you sure the Certificate referenced by the Thumbprint is in the machine certificate store, and not in the user certificate store? Or at least, it should be in the user store that’s linked to the App Pool…

astonpa · August 22, 2023, 10:40am

Thanks for the suggestions, the cert is in the local computer Personal store, i exported it and imported into the user store that runs the PowerShell in the dashboard, but it still errored.

It got me thinking though, this is a new server with a binding in IIS to a self-signed cert that I created when I was deploying it. I changed that binding to the certificate that I’m using for the AAD app in Azure and restarted the Web Server and it now works !

Thanks very much for putting me on the right track!

pchip · August 22, 2023, 12:04pm

Hi Peter,
That is definitely not logical per se, the Website Binding in IIS has no impact on the certificate used outbound inside a script. Maybe you just needed to restart the App Pool or Website (or IIS!). Glad it works, but would recommend you look into this a little more (eg: change the website certificate to something that is signed by your internal PKI). The User store logic seems to hold better as you can see here: open Unable to authenticate using Connect-MgGraph with certificate on Windows Server or Azure HybridWoker error is "certificate was not found or has expired." · Issue #675 · microsoftgraph/msgraph-sdk-powershell · GitHub

astonpa · August 22, 2023, 3:05pm

It does seem like the website restart might have been the answer, I’ll do some more digging.

pchip · August 23, 2023, 12:58pm

Website certificate is to demonstrate to outside clients (Browsers) that the server is who the server proposes to be. It is used for “Server Authentication”.

The certificate used in Connect-MgGraph is to authenticate the client to the server it is connecting to, basically, it would be the equivalent of username / password. The purpose here is “Client Authentication”.

Unfortunately, there is a LOT of confusions on the internet about certificate usage/management. Most websites’ (including *.squaredup.com as in the current cert) SSL certificate use both (Server & Client) Key usage purposes, although this is technically incorrect. The Self-Signed cert that can be used for authenticating to Azure stuff, cannot use the latest best practices in certificate management. (Which actually tells a lot about the New-SelfSignedCertificate PoSH cmdlet and about the risk behind using certs to authenticate to Azure, but that’s another discussion)

In your case, as I said above, you should use different certificates for the website and the Connect-MgGraph cmdlet.
Good Luck!