Microsoft Exchange Online
A Microsoft email and calendaring hosted service.
1,990 questions
You can use any type of certificate, CA ones included. The steps are all the same.
App-only authentication for unattended scripts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 9%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Abd El-aziem, Ahmed Saeed
0
Reputation points
Hi Team,
We are developing an integration that will use the authentication (App-only authentication for unattended scripts) mechanism to integrate with Security & Compliance PowerShell.
The article (https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps) only provides steps for self-signed certificate.
Is CA-Signed certificate supported?
What is the SSL-Workflow from the initial communication to (https://outlook.office365.com) until the authentication part occurs using the generated certificate.
Thanks,
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 91%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor2024-12-24T01:54:13.3733333+00:00 Hi @Abd El-aziem, Ahmed Saeed,
Welcome to the Microsoft Q&A platform!
Yes, CA-signed certificates are supported for app-only authentication in Security & Compliance PowerShell. While the article you referenced primarily discusses self-signed certificates, it is possible to use a certificate issued by a Certificate Authority (CA) for production scenarios.
SSL Workflow for Authentication with CA-Signed Certificate
- The client (your script or application) initiates a connection to the server (https://outlook.office365.com) using HTTPS.
- The server responds by presenting its SSL certificate, which includes its public key. This certificate is issued by a trusted CA.
- The client verifies the server's certificate against the CA's public key to ensure it is valid and trusted. This step ensures that the client is communicating with the legitimate server.
- For mutual authentication, the server requests a client certificate. The client then sends its CA-signed certificate to the server.
- The server verifies the client's certificate against the CA's public key. This step ensures that the client is authenticated and trusted.
- Once both certificates are verified, the SSL handshake is completed, establishing a secure, encrypted connection.
- The client uses the certificate to authenticate with the server. This involves sending the certificate thumbprint or name along with the application ID and tenant ID to the server.
- The server validates the certificate and issues an access token, which the client uses for subsequent API calls.
This workflow ensures secure communication and authentication between your application and the server using CA-signed certificates.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
-
Abd El-aziem, Ahmed Saeed 0 Reputation points
2024-12-24T07:09:10.7833333+00:00 Thanks Jake for the detailed reply,
For the mutual authentication, is the client certificate the same certificate that will be used in in following stage to generate the token for following APIs?
Also in this case, i will need to import customer's Chain of trust (subordinate, and root CAs) to Azure CA trust store or to app machine trust store or both? and if yes, can you please provide the steps for this case?
One Last Comment, why in the documentation it's exclusively mentions Self Signed Certificates as below?
Certificate based authentication (CBA) or app-only authentication as described in this article supports unattended script and automation scenarios by using Microsoft Entra apps and self-signed certificates.Thanks,
-
Abd El-aziem, Ahmed Saeed 0 Reputation points
2024-12-24T07:40:39.48+00:00 For further clarification,
Below is an example powershell command to connect to Exchange online:
Connect-ExchangeOnline -AppId <%App_id%> -Certificate <%X509Certificate2 object%> -Organization "contoso.onmicrosoft.com"
-
Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor
2024-12-24T08:19:58.5333333+00:00 Hi @Abd El-aziem, Ahmed Saeed,
Yes, the client certificate used for mutual authentication is the same certificate used to generate tokens for subsequent API calls. This certificate is used to authenticate the client and establish a secure connection, which is then used to request an access token from the server.
To ensure that the client certificate is trusted, you need to import the client's trust chain (subordinate CA and root CA) into the appropriate trust store. Here are the steps:
Azure CA Trust Store:
- Unfortunately, you cannot add root certificates directly to the Azure App Service's root certificate store unless you are using App Service Environment (ASE). For ASE, you can add root certificates by setting the WEBSITE_LOAD_ROOT_CERTIFICATES application setting.
- You can store and manage certificates in Azure Key Vault and configure applications to use these certificates.
App Machine Trust Store:
- Windows:
- Open Microsoft Management Console (MMC).
- Add the Certificates snap-in for Local Computer.
- Import the root and intermediate certificates into the Trusted Root Certification Authorities and Intermediate Certification Authorities stores, respectively.
- Linux:
- Copy the root and intermediate certificates to the /usr/local/share/ca-certificates/ directory.
- Run sudo update-ca-certificates to update the CA store.
Here is how to work with certificates using the Connect-ExchangeOnline command:
$cert = Get-Item -Path "Cert:\CurrentUser\My\<Thumbprint>" Connect-ExchangeOnline -AppId "<App_id>" -Certificate $cert -Organization "contoso.onmicrosoft.com"This command retrieves the certificate from the current user's certificate store and uses it to authenticate and connect to Exchange Online.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
-
Abd El-aziem, Ahmed Saeed 0 Reputation points
2024-12-24T10:31:57.95+00:00 Hi Jake, Thanks a ton for the detailed reply, really appreciated!
Appologize, but couple more questions if you allow me:
As i'm not that expert with Microsoft Azure, as am developing the automation on a SOAR solution.
If i will generated the CA signed certificate what options do i have to generate such client certificate, as my expectation goes with a CSR, but in this case what certificate template should be used to sign and generate that client certificate?
Second:
With the scenario described, i'm using App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell (https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps), what is the appropriate option of the options shared in your last reply to make azure trust my Issuers CA cert chain, or in other meaning what i should check with IAM team to confirm that this is doable or i have to go with Self-signed certificate!
One last thing:
Is CA signed cert in this case adding any security/benefit over self signed!
Thanks again in advance!
-
Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor
2024-12-25T02:59:42.7566667+00:00 Hi @Abd El-aziem, Ahmed Saeed,
You're welcome!
To generate a CA-signed client certificate, you typically follow these steps:
- Generate a CSR using a tool such as OpenSSL. This involves creating a private key and then using that key to generate a CSR.
Example command to generate a CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr
- Submit the CSR to a trusted CA. The CA will use a certificate template to sign and generate the client certificate.
For the certificate template, you should use a template that supports client authentication. This is usually labeled "Client Authentication" or "User Certificates" in the CA's template options.
- Once the CA processes the CSR, you will receive a signed client certificate. You can then install this certificate on your application or server.
To ensure that Azure trusts your issuer's CA certificate chain, you need to import the root and intermediate certificates into the appropriate trust stores. Here are the steps:
- If you are using App Service Environment (ASE), you can add the root certificate by setting the WEBSITE_LOAD_ROOT_CERTIFICATES application setting.
For other Azure services, you may need to use Azure Key Vault to store and manage your certificates.
- Apply the computer trust store:
Windows:
- Open the Microsoft Management Console (MMC).
- Add the Certificates snap-in for the local computer.
- Import the root and intermediate certificates into the Trusted Root Certification Authorities and Intermediate Certification Authorities stores, respectively.
Linux:
- Copy the root and intermediate certificates to the /usr/local/share/ca-certificates/ directory.
- Run sudo update-ca-certificates to update the CA store.
Using a CA-signed certificate has several advantages over a self-signed certificate:
- CA-signed certificates are trusted by browsers and operating systems by default, reducing the likelihood of security warnings.
- CA-signed certificates are issued by a trusted third party, thus providing a higher level of validation and assurance.
- CA-signed certificates can be revoked if compromised, providing additional security.
In summary, while self-signed certificates are suitable for testing and internal use, CA-signed certificates are recommended for production environments due to their higher level of trust and verification.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
Sign in to comment