Today, we are happy to announce the Public Preview of a Modern Auth unattended scripting option for use with Exchange Online PowerShell V2. This feature provides customers the ability to run non-inte...
Updated Jul 30, 2020
Version 6.0
Blog Post
JrouziesM I guess I should have clarified that I was comparing the option of -CertificateFilePath against either of the other options -Certificate or -CertificateThumbprint. The latter options generally line up with the certificate being in the certificate stores (Cert:\CurrentUser\My for -CertificateThumbprint, more options available like Cert:\LocalMachine\My for -Certificate), taking away the need to use or store a password, encrypted or not.
I guess I'm not sure anyways about whether it's any more difficult for an intruder to gain access to the certificate in the local stores, if they already have enough access to the disk to capture the stored password for the PFX file. If the stored password for the PFX file is encrypted, let's say via Export-Clixml, then they intruder would need to be logged in as the account that performed the Export-Clixml, and in this case, I 100% agree there's no added security by having the certificate stored in the local store vs having the PFX and encrypted password. I'm not sure what happens if somebody got their hands on the disk (physical / virtual) itself - would they have easy access to the certificate in the local stores (I don't know)?
If all these points of comparison are equal in strength/weakness, then I guess I'm harping about nothing here.