App-only authentication for unattended scripts

Abd El-aziem, Ahmed Saeed 0 Reputation points
2024-12-23T07:49:50.55+00:00

Hi Team,

We are developing an integration that will use the authentication (App-only authentication for unattended scripts) mechanism to integrate with Security & Compliance PowerShell.

The article (https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps) only provides steps for self-signed certificate.

Is CA-Signed certificate supported?

What is the SSL-Workflow from the initial communication to (https://outlook.office365.com) until the authentication part occurs using the generated certificate.

Thanks,

Microsoft Exchange Online
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,707 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 111.1K Reputation points MVP
    2024-12-23T16:08:38.0866667+00:00

    You can use any type of certificate, CA ones included. The steps are all the same.

    0 comments No comments

  2. Jake Zhang-MSFT 7,770 Reputation points Microsoft Vendor
    2024-12-24T01:54:13.3733333+00:00

    Hi @Abd El-aziem, Ahmed Saeed,

    Welcome to the Microsoft Q&A platform!

    Yes, CA-signed certificates are supported for app-only authentication in Security & Compliance PowerShell. While the article you referenced primarily discusses self-signed certificates, it is possible to use a certificate issued by a Certificate Authority (CA) for production scenarios.

    SSL Workflow for Authentication with CA-Signed Certificate

    1. The client (your script or application) initiates a connection to the server (https://outlook.office365.com) using HTTPS.
    2. The server responds by presenting its SSL certificate, which includes its public key. This certificate is issued by a trusted CA.
    3. The client verifies the server's certificate against the CA's public key to ensure it is valid and trusted. This step ensures that the client is communicating with the legitimate server.
    4. For mutual authentication, the server requests a client certificate. The client then sends its CA-signed certificate to the server.
    5. The server verifies the client's certificate against the CA's public key. This step ensures that the client is authenticated and trusted.
    6. Once both certificates are verified, the SSL handshake is completed, establishing a secure, encrypted connection.
    7. The client uses the certificate to authenticate with the server. This involves sending the certificate thumbprint or name along with the application ID and tenant ID to the server.
    8. The server validates the certificate and issues an access token, which the client uses for subsequent API calls.

    This workflow ensures secure communication and authentication between your application and the server using CA-signed certificates.


    Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

    Best,

    Jake Zhang


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.