You can use any type of certificate, CA ones included. The steps are all the same.
App-only authentication for unattended scripts
Hi Team,
We are developing an integration that will use the authentication (App-only authentication for unattended scripts) mechanism to integrate with Security & Compliance PowerShell.
The article (https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps) only provides steps for self-signed certificate.
Is CA-Signed certificate supported?
What is the SSL-Workflow from the initial communication to (https://outlook.office365.com) until the authentication part occurs using the generated certificate.
Thanks,
2 answers
Sort by: Most helpful
-
-
Jake Zhang-MSFT 7,770 Reputation points Microsoft Vendor
2024-12-24T01:54:13.3733333+00:00 Hi @Abd El-aziem, Ahmed Saeed,
Welcome to the Microsoft Q&A platform!
Yes, CA-signed certificates are supported for app-only authentication in Security & Compliance PowerShell. While the article you referenced primarily discusses self-signed certificates, it is possible to use a certificate issued by a Certificate Authority (CA) for production scenarios.
SSL Workflow for Authentication with CA-Signed Certificate
- The client (your script or application) initiates a connection to the server (https://outlook.office365.com) using HTTPS.
- The server responds by presenting its SSL certificate, which includes its public key. This certificate is issued by a trusted CA.
- The client verifies the server's certificate against the CA's public key to ensure it is valid and trusted. This step ensures that the client is communicating with the legitimate server.
- For mutual authentication, the server requests a client certificate. The client then sends its CA-signed certificate to the server.
- The server verifies the client's certificate against the CA's public key. This step ensures that the client is authenticated and trusted.
- Once both certificates are verified, the SSL handshake is completed, establishing a secure, encrypted connection.
- The client uses the certificate to authenticate with the server. This involves sending the certificate thumbprint or name along with the application ID and tenant ID to the server.
- The server validates the certificate and issues an access token, which the client uses for subsequent API calls.
This workflow ensures secure communication and authentication between your application and the server using CA-signed certificates.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang