EntraID: Certificate authentication fails with "does not have a private key" error

[shawn-ev]

Description of the issue

I am trying to deploy a DSC infra for my org. I've followed the pre-requisites and installed and updated DSC on a stand-alone Azure VM. I intend to use certificate authentication and created the EntraID application using the Update-M365DSCAzureAdApplication cmdlet.

PS C:\Windows\System32> Update-M365DSCAzureAdApplication
>> -ApplicationName 'Microsoft365DSC' 
>> -AdminConsent
>> -Type Certificate
>> -CreateSelfSignedCertificate
>> -CertificatePath C:\temp\M365DSC.cer
>> -Permissions @(
>> @{Api='Graph';PermissionName='User.Read.All'},
>> @{Api='Graph';PermissionName='UserAuthenticationMethod.Read.All'},
>> ......lots of permissions.....
>> )

Certificate gets created and I install the cert to the User Personal store. (I know the instructions on the official documentation say to install the cert to the LocalMachine Personal store, but I was having connection problems and found that the Connect-MgGraph cmdlet only looks for certs in the User Personal store, so I installed the cert in both locations).

I connect using the following values:

$TenantId='mycompany.onmicrosoft.com'
$AppId='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
$CertThumbprint='xxx....'  #cert thumprint copied from certificate entry in EntraID Application.

I am just trying to connect with connect-mggraph -ApplicationId $AppId -CertificateThumbprint $CertThumbprint -TenantId $TenantId

Each time I try to connect, I get the following error; Connect-MgGraph: ClientCertificateCredential authentication failed: The certificate certificate does not have a private key.

Microsoft 365 DSC Version

1.24.1016.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

Verbose logs showing the problem

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter Azure Edition
OsOperatingSystemSKU : 407
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}


Name                           Value
----                           -----
PSVersion                      7.4.5
PSEdition                      Core
GitCommitId                    7.4.5
OS                             Microsoft Windows 10.0.20348
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

[shawn-ev]

I have an update to this issue. I was executing all commands using PowerShell 7.4 (because that's my preferred version). I took all the steps required to use PS7+, per https://microsoft365dsc.com/user-guide/get-started/powershell7-support/.

On the EntraID App, I deleted all permissions and the previous certificate. I executed the same Update-M365DSCAzureAdApplication command using PowerShell 5.1. The cert was created and the same permissions assigned. I installed the cert to the user store and executed the Export-M365DSCConfiguration command. It authenticated successfully and exported the requested items.

I then opened another PS7 session and executed the same Export command, and it successfully authenticated with the same cert thumbprint; no other changes were made!

It would seem that the self-signed cert created under the PS7 session somehow differs than the one created under the PS5 session.