SOLVED

From Get-AzKeyVaultCertificate to Connect-ExchangeOnline -Certificate

Copper Contributor

I'm seeking examples/samples in PowerShell to utilize Certificate-Based Authentication with automated ExO Admin tasks.  

Current solution relies on a local certificate (CurrentUser\My or LocalMachine\My) and Connect-ExchangeOnline -CertificateThumbprint.  Or from a local PFX file with -CertificateFilePath.  

  I'm thinking that Azure Key Vault would be better container since the tenant has control over all credentials.  

 

  I have not seen sample code to go from a AzKeyVaultCertificate object to Connect-ExchangeOnline -Certificate.  Perhaps because it is so new.  Perhaps because there is a better alternative.  

 

  Any advice or suggestions greatly appreciated.  Thank you.  

 

  

2 Replies
best response confirmed by TerryED (Copper Contributor)

Thank you @Vasil Michev.  I was missing the Get-AzKeyVaultSecret ... -AsPlainText parameter.  This works for me now:

 

$AzKeyVaultTenant = '<M365 Tenant ID GUID>'
$AzKeyVaultApplicationId = '<Azure Key Vault Application ID GUID>'
$AzKeyVaultCertificateThumbprint = '<LocalMachine Certificate Thumbprint>'
$AzKeyVaultName = '<Azure Key Vault Name>'
$ExoOrganization = '<M365 Tenant fully qualified domain name>'
$ExoCertificateSecretName = '<Azure Key Vault Exchange Online Certificate Name>'
$ExoAppId = '<Exchange Online App ID GUID>'

 

Connect-AzAccount -Tenant $AzKeyVaultTenant -ApplicationId $AzKeyVaultApplicationId -CertificateThumbprint $AzKeyVaultCertificateThumbprint -ServicePrincipal | Out-Null
    $exoKeyVaultCertificateSecret = Get-AzKeyVaultSecret -VaultName $AzKeyVaultName -Name $ExoCertificateSecretName -AsPlainText
Disconnect-AzAccount -Confirm:$FALSE | Out-Null

 

$exoCertificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList ([Convert]::FromBase64String( $exoKeyVaultCertificateSecret )), '', 'Exportable,MachineKeySet,PersistKeySet'

 

Connect-ExchangeOnline -Organization $ExoOrganization -AppID $ExoAppId -Certificate $exoCertificate -ShowBanner:$False
    (Get-AcceptedDomain | Where-Object { $PSItem.Default }).DomainName
Disconnect-ExchangeOnline -Confirm:$FALSE

1 best response

Accepted Solutions
best response confirmed by TerryED (Copper Contributor)