Forum Discussion

TerryED's avatar
TerryED
Copper Contributor
Feb 02, 2021
Solved

From Get-AzKeyVaultCertificate to Connect-ExchangeOnline -Certificate

I'm seeking examples/samples in PowerShell to utilize Certificate-Based Authentication with automated ExO Admin tasks.   Current solution relies on a local certificate (CurrentUser\My or LocalMach...
admin
exchange online
  • TerryED's avatar
    TerryED
    Copper Contributor
    Feb 08, 2021

    Thank you VasilMichev.  I was missing the Get-AzKeyVaultSecret ... -AsPlainText parameter.  This works for me now:

     

    $AzKeyVaultTenant = '<M365 Tenant ID GUID>'
    $AzKeyVaultApplicationId = '<Azure Key Vault Application ID GUID>'
    $AzKeyVaultCertificateThumbprint = '<LocalMachine Certificate Thumbprint>'
    $AzKeyVaultName = '<Azure Key Vault Name>'
    $ExoOrganization = '<M365 Tenant fully qualified domain name>'
    $ExoCertificateSecretName = '<Azure Key Vault Exchange Online Certificate Name>'
    $ExoAppId = '<Exchange Online App ID GUID>'

     

    Connect-AzAccount -Tenant $AzKeyVaultTenant -ApplicationId $AzKeyVaultApplicationId -CertificateThumbprint $AzKeyVaultCertificateThumbprint -ServicePrincipal | Out-Null
        $exoKeyVaultCertificateSecret = Get-AzKeyVaultSecret -VaultName $AzKeyVaultName -Name $ExoCertificateSecretName -AsPlainText
    Disconnect-AzAccount -Confirm:$FALSE | Out-Null

     

    $exoCertificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList ([Convert]::FromBase64String( $exoKeyVaultCertificateSecret )), '', 'Exportable,MachineKeySet,PersistKeySet'

     

    Connect-ExchangeOnline -Organization $ExoOrganization -AppID $ExoAppId -Certificate $exoCertificate -ShowBanner:$False
        (Get-AcceptedDomain | Where-Object { $PSItem.Default }).DomainName
    Disconnect-ExchangeOnline -Confirm:$FALSE

Resources