SOLVED

From Get-AzKeyVaultCertificate to Connect-ExchangeOnline -Certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-2111454%22%20slang%3D%22en-US%22%3EFrom%20Get-AzKeyVaultCertificate%20to%20Connect-ExchangeOnline%20-Certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111454%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20seeking%20examples%2Fsamples%20in%20PowerShell%20to%20utilize%20Certificate-Based%20Authentication%20with%20automated%20ExO%20Admin%20tasks.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECurrent%20solution%20relies%20on%20a%20local%20certificate%20(CurrentUser%5CMy%20or%20LocalMachine%5CMy)%20and%20Connect-ExchangeOnline%20-CertificateThumbprint.%26nbsp%3B%20Or%20from%20a%20local%20PFX%20file%20with%20-CertificateFilePath.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%26nbsp%3B%20I'm%20thinking%20that%20Azure%20Key%20Vault%20would%20be%20better%20container%20since%20the%20tenant%20has%20control%20over%20all%20credentials.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20I%20have%20not%20seen%20sample%20code%20to%20go%20from%20a%20AzKeyVaultCertificate%20object%20to%20Connect-ExchangeOnline%20-Certificate.%26nbsp%3B%20Perhaps%20because%20it%20is%20so%20new.%26nbsp%3B%20Perhaps%20because%20there%20is%20a%20better%20alternative.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20Any%20advice%20or%20suggestions%20greatly%20appreciated.%26nbsp%3B%20Thank%20you.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2111454%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2117737%22%20slang%3D%22en-US%22%3ERe%3A%20From%20Get-AzKeyVaultCertificate%20to%20Connect-ExchangeOnline%20-Certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2117737%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E.%26nbsp%3B%20I%20was%20missing%20the%26nbsp%3BGet-AzKeyVaultSecret%20...%26nbsp%3B%3CSTRONG%3E-AsPlainText%3C%2FSTRONG%3E%20parameter.%26nbsp%3B%20This%20works%20for%20me%20now%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24AzKeyVaultTenant%20%3D%20'%3CM365%20tenant%3D%22%22%20id%3D%22%22%20guid%3D%22%22%3E'%3CBR%20%2F%3E%24AzKeyVaultApplicationId%20%3D%20'%3CAZURE%20key%3D%22%22%20vault%3D%22%22%20application%3D%22%22%20id%3D%22%22%20guid%3D%22%22%3E'%3CBR%20%2F%3E%24AzKeyVaultCertificateThumbprint%20%3D%20'%3CLOCALMACHINE%20certificate%3D%22%22%20thumbprint%3D%22%22%3E'%3CBR%20%2F%3E%24AzKeyVaultName%20%3D%20'%3CAZURE%20key%3D%22%22%20vault%3D%22%22%20name%3D%22%22%3E'%3CBR%20%2F%3E%24ExoOrganization%20%3D%20'%3CM365%20tenant%3D%22%22%20fully%3D%22%22%20qualified%3D%22%22%20domain%3D%22%22%20name%3D%22%22%3E'%3CBR%20%2F%3E%24ExoCertificateSecretName%20%3D%20'%3CAZURE%20key%3D%22%22%20vault%3D%22%22%20exchange%3D%22%22%20online%3D%22%22%20certificate%3D%22%22%20name%3D%22%22%3E'%3CBR%20%2F%3E%24ExoAppId%20%3D%20'%3CEXCHANGE%20online%3D%22%22%20app%3D%22%22%20id%3D%22%22%20guid%3D%22%22%3E'%3C%2FEXCHANGE%3E%3C%2FAZURE%3E%3C%2FM365%3E%3C%2FAZURE%3E%3C%2FLOCALMACHINE%3E%3C%2FAZURE%3E%3C%2FM365%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConnect-AzAccount%20-Tenant%20%24AzKeyVaultTenant%20-ApplicationId%20%24AzKeyVaultApplicationId%20-CertificateThumbprint%20%24AzKeyVaultCertificateThumbprint%20-ServicePrincipal%20%7C%20Out-Null%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%24exoKeyVaultCertificateSecret%20%3D%20Get-AzKeyVaultSecret%20-VaultName%20%24AzKeyVaultName%20-Name%20%24ExoCertificateSecretName%20-AsPlainText%3CBR%20%2F%3EDisconnect-AzAccount%20-Confirm%3A%24FALSE%20%7C%20Out-Null%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24exoCertificate%20%3D%20New-Object%20-TypeName%20System.Security.Cryptography.X509Certificates.X509Certificate2%20-ArgumentList%20(%5BConvert%5D%3A%3AFromBase64String(%20%24exoKeyVaultCertificateSecret%20))%2C%20''%2C%20'Exportable%2CMachineKeySet%2CPersistKeySet'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConnect-ExchangeOnline%20-Organization%20%24ExoOrganization%20-AppID%20%24ExoAppId%20-Certificate%20%24exoCertificate%20-ShowBanner%3A%24False%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20(Get-AcceptedDomain%20%7C%20Where-Object%20%7B%20%24PSItem.Default%20%7D).DomainName%3CBR%20%2F%3EDisconnect-ExchangeOnline%20-Confirm%3A%24FALSE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112211%22%20slang%3D%22en-US%22%3ERe%3A%20From%20Get-AzKeyVaultCertificate%20to%20Connect-ExchangeOnline%20-Certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112211%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20be%20able%20to%20make%20it%20work%20by%20leveraging%20the%20example%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.keyvault%2Fget-azkeyvaultcertificate%3Fview%3Dazps-5.4.0%23example-2--get-cert-and-save-it-as-pfx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.keyvault%2Fget-azkeyvaultcertificate%3Fview%3Dazps-5.4.0%23example-2--get-cert-and-save-it-as-pfx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm seeking examples/samples in PowerShell to utilize Certificate-Based Authentication with automated ExO Admin tasks.  

Current solution relies on a local certificate (CurrentUser\My or LocalMachine\My) and Connect-ExchangeOnline -CertificateThumbprint.  Or from a local PFX file with -CertificateFilePath.  

  I'm thinking that Azure Key Vault would be better container since the tenant has control over all credentials.  

 

  I have not seen sample code to go from a AzKeyVaultCertificate object to Connect-ExchangeOnline -Certificate.  Perhaps because it is so new.  Perhaps because there is a better alternative.  

 

  Any advice or suggestions greatly appreciated.  Thank you.  

 

  

2 Replies
best response confirmed by TerryED (New Contributor)

Thank you @Vasil Michev.  I was missing the Get-AzKeyVaultSecret ... -AsPlainText parameter.  This works for me now:

 

$AzKeyVaultTenant = '<M365 Tenant ID GUID>'
$AzKeyVaultApplicationId = '<Azure Key Vault Application ID GUID>'
$AzKeyVaultCertificateThumbprint = '<LocalMachine Certificate Thumbprint>'
$AzKeyVaultName = '<Azure Key Vault Name>'
$ExoOrganization = '<M365 Tenant fully qualified domain name>'
$ExoCertificateSecretName = '<Azure Key Vault Exchange Online Certificate Name>'
$ExoAppId = '<Exchange Online App ID GUID>'

 

Connect-AzAccount -Tenant $AzKeyVaultTenant -ApplicationId $AzKeyVaultApplicationId -CertificateThumbprint $AzKeyVaultCertificateThumbprint -ServicePrincipal | Out-Null
    $exoKeyVaultCertificateSecret = Get-AzKeyVaultSecret -VaultName $AzKeyVaultName -Name $ExoCertificateSecretName -AsPlainText
Disconnect-AzAccount -Confirm:$FALSE | Out-Null

 

$exoCertificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList ([Convert]::FromBase64String( $exoKeyVaultCertificateSecret )), '', 'Exportable,MachineKeySet,PersistKeySet'

 

Connect-ExchangeOnline -Organization $ExoOrganization -AppID $ExoAppId -Certificate $exoCertificate -ShowBanner:$False
    (Get-AcceptedDomain | Where-Object { $PSItem.Default }).DomainName
Disconnect-ExchangeOnline -Confirm:$FALSE