Mar 17 2023 04:56 AM
I use certificate to connect to Microsoft Graph and it works fine in runbooks azure instance. However, when I perform
Connect-MgGraph -CertificateThumbprint <certThumbprint>-ClientID "<clientID>" -TenantID "<tenantID>"
in runbook for Hybrid Worker machine I'm getting the following error:
Connect-MgGraph : Certificate with subject name '[Subject] CN=CertName [Issuer] CN=CertName [Serial Number] CertSN [Not Before] 1/21/2023 1:33:10 PM [Not After] 1/21/2024 1:53:13 PM [Thumbprint] CertificateThumbPrint ' was not found in certificate store or has expired. At line:14 char:1 + Connect-MgGraph -CertificateName $cert -ClientID "<ClientID>- ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Connect-MgGraph], ArgumentException + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
The certificate is found and data is valid, but error says "not found" anyway. I tried to specify the exact path to the certificate and use store, also I switched different graph module version, none of that helped.
Mar 17 2023 07:23 AM - edited Mar 17 2023 04:57 PM
Hi, Alex.
Have a read of the following and note the difference in accessing the certificate between the current user store versus the machine store:
As the article notes, you can't use a file location for the -CertificateName or -CertificateThumbprint options, only the crypto stores.
Additionally, if the running process is actually a service, make sure you:
That will allow the service to locate the certificate within its "currentuser" store. (Note: PowerShell can't access service crypto stores via the Cert:\ drive making the MMC your only option.)
It's actually less fiddley just to use the machine store and add the separate command for fetching the certificate first (in my opinion) for this service example, but this at least covers your options.
I suppose the other obvious point is to ensure that it is indeed the same certificate (i.e. the correct thumbprint), but I'm sure you've tripled-checked that already.
Cheers,
Lain
Mar 17 2023 08:34 AM
Mar 17 2023 05:48 PM
Solution
I know nothing about the Azure Hybrid Runbook Worker.
I've just had a quick read of the following article just to get an overview of it - which hardly makes me knowledgeable on the topic, but it does provide some useful information to even someone in my position. Notably that:
Reference article:
This topic isn't really about PowerShell but rather the hybrid runbook worker's configuration. You might want to ask about it in one of the Azure-centric forums as well.
Once the correct certificate is positioned in the correct store or you switch to using the third example from the earlier example where you load the certificate separately before using it in the Connect-MgGraph call (using the -Certificate parameter, not -CertificateThumbprint or Name), the error should be resolved.
Cheers,
Lain
Mar 21 2023 09:44 AM - edited Mar 21 2023 09:47 AM
It is worked, when I installed a certificate over "Azure Hybrid Instance Metadata Service" (Personal store). Now I'm getting another error, which I'm going to open another topic about.
Mar 17 2023 05:48 PM
Solution
I know nothing about the Azure Hybrid Runbook Worker.
I've just had a quick read of the following article just to get an overview of it - which hardly makes me knowledgeable on the topic, but it does provide some useful information to even someone in my position. Notably that:
Reference article:
This topic isn't really about PowerShell but rather the hybrid runbook worker's configuration. You might want to ask about it in one of the Azure-centric forums as well.
Once the correct certificate is positioned in the correct store or you switch to using the third example from the earlier example where you load the certificate separately before using it in the Connect-MgGraph call (using the -Certificate parameter, not -CertificateThumbprint or Name), the error should be resolved.
Cheers,
Lain