Blog Post

Exchange Team Blog
2 MIN READ

Modern Auth and Unattended Scripts in Exchange Online PowerShell V2

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 30, 2020
Today, we are happy to announce the Public Preview of a Modern Auth unattended scripting option for use with Exchange Online PowerShell V2. This feature provides customers the ability to run non-inte...
Updated Jul 30, 2020
Version 6.0
administration
All Posts
announcements
exchange
exchange online
office 365
scripting
security
JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Jul 07, 2020

JGrote I see "New-EXOPSSession".  Could it be that you mean to be using Connect-ExchangeOnline instead?  I was doing some digging to see if I could find an answer about OAuth or JWT's requiring the KeySpec to be Signature, because most examples I see from docs.microsoft.com show the New-SelfSignedCertificate command having "-KeySpec Signature", so that's what I've always used.  But now I've done a test, and can confirm I'm able to connect using both a KeySpec = KeyExchange cert and KeySpec = Signature cert.

 

I create my self-signed certificate from Windows 10 and have pure success for both ways.  I just updated my New-SelfSignedAzureADAppRegistrationCertificate function (link to containing module), giving it a new parameter -KeySpec [Signature|KeyExchange] so I could test.   Both work fine for me from Windows 10 / Windows PowerShell 5.1, and in Azure Automation.

 

Maybe you're provider has a typo?

 

Last thing, I checked the script file Create-SelfSignedCertificate.ps1 and see that it actually uses KeyExchange for the key spec (1 = KeyExchange, 2 = Signature):

 

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
    $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    $key.KeySpec = 1
    $key.Length = 2048 
    $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
    $key.MachineContext = 1
    $key.ExportPolicy = 1 # This is required to allow the private key to be exported
    $key.Create()

So with all of this, I don't think the module has an issue with KeySpec = KeyExchange for the self-signed certificate being used.

 

UPDATE:  And ahhh, just like that, I am now seeing what you mean.  It's that if you DON'T specify -KeySpec Signature OR KeyExchange with the New-SelfSignedCertificate cmdlet, it will default to None and yada yada ==> CNG.  Figured that out here - https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

 

So now I get your point.  Windows 10's New-SelfSignedCertificate by default will create a non-working cert for us if we don't know better to take charge with the -KeySpec parameter.