I am trying to create a remote connection to the exchange online management powershell module using certificate based oauth. However, no matter how I create a self signed certificate I am getting access denied errors. I will note that I can successfully exchange a username/password combo for an oauth token and then use that token to authenticate against the powershell module.
I am creating my self signed certificate like so in windows powershell:
$cert=New-SelfSignedCertificate -Subject "CN=graph-api@veridinet.com,O=veridinet.onmicrosoft.com,OU=veridinet.onmicrosoft.com,UPN=graph-api@veridinet.com" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
I then export this certificate using the windows certmgr
tool. I then upload that certificate to my application using the azure ad application portal. Once its uploaded I receive a certificate thumbprint.
I am then attempting to use that thumbprint to receive an oauth token using some c# code(which requires Microsoft.IdentityModel.Clients.ActiveDirectory.dll
and Microsoft.Exchange.Management.AdminApiProvider.dll
as dependencies):
var clientAppId = "<my_client_app_id_here>";
var clientAppRedirectUri = new Uri("https://login.microsoftonline.com/common/oauth2/nativeclient");
var defaultConnectionUri = "https://outlook.office365.com";
var defaultAzureAuthEndpointUri = "https://login.microsoftonline.com/<my_tenant_id_here>";
var certThumbprint = "<my_cert_thumbprint_here>";
TokenProviderContext context = new TokenProviderContext(AuthType.Default, clientAppId, defaultAzureAuthEndpointUri, defaultConnectionUri, null, null, null, null, certThumbprint, null, clientAppRedirectUri);
TokenInformation tokenInformation = TokenProviderFactory.Instance.CreateTokenProvider(context).GetAccessToken();
Console.WriteLine(tokenInformation.AuthorizationHeader);
Console.WriteLine(tokenInformation.UserPrincipalName);
This code will write out a token to the console. But the UserPrincipalName it outputs is not the UPN I provided in the subject line of the certificate which I suspect is a problem.
Anyways, I then try to connect to the exchange management module like so:
$password = ConvertTo-SecureString -AsPlainText <access_token_from_above_code_here> -Force
$username = "graph-api@veridinet.com"
$mycreds = New-Object -TypeName PSCredential -ArgumentList $username, $password
$pssession = New-PSSession -AllowRedirection -Authentication "Basic" -ConfigurationName "Microsoft.Exchange" -ConnectionUri "https://outlook.office365.com/PowerShell-LiveID?BasicAuthToOAuthConversion=true&HideBannerMessage=true" -Credential $mycreds -Name "ExchangeOnlineInternalSession_1"
The above command results in an access denied error and my guess is because the UPN isn't being encoded properly into the token but I'm stumped as to get it encoded properly.
Exchange Online does not accept -Authentication "Basic"
anymore... if possible, use Connect-ExchangeOnline
instead:
Connect-ExchangeOnline -CertificateThumbPrint "xxxxx" -AppID "xxxx-xxxxxx" -Organization "YourTenantName.onmicrosoft.com"
for more info, visit Exchange Online Powershell
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.