Forum Discussion
Connect to SPO from Azure automation runbook using a certificate
I'm having the same issue. I can actually connect using a thumbprint when running from my laptop, but when running the same command and same app reg and thumbprint in an Azure runbook, the connect fails and says it can't find a cert. Where did you end up storing the .pfx file so that you could reference it in your runbook? Azure Storage? Do you have an example of your powershell commands for the connection?
Thanks,
Dave
I gave up on using a certificate for authentication when running a script from Azure Runbook. One thing that I found bit promising was to store the exported certificate file (including the private key) in runbook account, in runbook script store the certificate to runbook temporary storage and then invoke Connect-PnPOnline (code below).
What I ended up ultimately was to use the legacy SharePoint App-Only principals?
# # Save authentication certificate to temp location $certificate = Get-AutomationCertificate -Name "<certificate name>"; $credentials = Get-AutomationPSCredential -Name "<credentials i.e. the password for certificate file>"; $secureCertificatePassword = $credentials.Password; $certificatePassword = $credentials.GetNetworkCredential().Password; $certificatePath = "$env:TEMP\temp.pfx"; $pfxCertificate = $certificate.Export(3, $certificatePassword); if(Test-Path $certificatePath){ Remove-Item -Path $certificatePath; } Set-Content -Value $pfxCertificate -Path $certificatePath -Encoding Byte; # #verify certificate if(Test-Path $certificatePath){ $pnpCert = Get-PnPAzureCertificate -CertificatePassword $secureCertificatePassword -CertificatePath $certificatePath; Write-Output "Saved certificate to $certificatePath, Thumbprint=$($pnpCert.Thumbprint)"; } # Connect using the certificate $url = "<site url>"; $tenantAdminUrl = "<SOP admin url>"; $clientId = "<app client ID>"; $tenantId = "<tenant ID>"; Write-Output "Connecting to $url with $clientId"; $connection = Connect-PnPOnline -ReturnConnection -Url $url -ClientId $clientId -Tenant $tenantId -CertificatePath $certificatePath -CertificatePassword $secureCertificatePassword -ValidateConnection;Had to make a small change to the code to get this to work.
Line 11 - The term "-Encoding Byte" no longer works, replaced with -AsByteStream resolved the issues I was having with getting the certificate out into the $env:Temp location.
Thanks for sharing the code,
$certificate = Get-AutomationCertificate -Name "<certificate name>"; $credentials = Get-AutomationPSCredential -Name "<credentials i.e. the password for certificate file>"; $secureCertificatePassword = $credentials.Password;
credential is the password for pfx file and you must have stored in the runbook credential store like below
also where are you storing the pfx file in runbook store , can you please shed some light . Looking forward to your reply
$certificatePath = "$env:TEMP\temp.pfx";
- Yep...I can confirm this is all working for me now. So, essentially, the process I use is
1. Create a self-signed certificate, you can also get a proper one if requirements justify that
2. Export the certificate private key pfx and the public key cer separately
3. Add the public key cer to Azure AD application
4. In automation account, upload the pfx certificate, you would need to provide the pfx password and make sure you select the export switch
5. Create a credential variable in automation account. Username is the appID of Azure AD application and password is the pfx password
6. Use the code in my post above to export the certificate, and add it automation account temp location. You should then be able to use it with Connect-PnPOnline
- I was having difficulties as well, will try the above, thanks for sharing!
