M365DSC Certificate authentication fails with "does not have a private key" error

Question

I am deploying M365DSC infra for my org. I have followed the pre-requisites and installed and updated DSC on a stand-alone Azure VM. I intend to use certificate authentication and created the EntraID application using the Update-M365DSCAzureAdApplication cmdlet. I am a Global Admin and ran this command with my creds and permissions.

PS C:\Windows\System32> Update-M365DSCAzureAdApplication
>> -ApplicationName 'Microsoft365DSC' 
>> -AdminConsent
>> -Type Certificate
>> -CreateSelfSignedCertificate
>> -CertificatePath C:\temp\M365DSC.cer
>> -Permissions @(
>> @{Api='Graph';PermissionName='User.Read.All'},
>> @{Api='Graph';PermissionName='UserAuthenticationMethod.Read.All'},
>> ......lots of permissions.....
>> )

The certificate gets created and I installed the cert to the User Personal store. (I know the official instructions say to install the cert to the LocalMachine Personal store, but I was having connection problems and found that the Connect-MgGraph cmdlet only looks for certs in the User Personal store, so I installed the cert in both locations).

I connect using the following values:

$TenantId='mycompany.onmicrosoft.com'
$AppId='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
$CertThumbprint='xxx....'  #cert thumprint copied from certificate entry in EntraID Application.

I am trying to connect with connect-mggraph -ApplicationId $AppId -CertificateThumbprint $CertThumbprint -TenantId $TenantId

Each time I try to connect, I get the following error; Connect-MgGraph: ClientCertificateCredential authentication failed: The certificate certificate does not have a private key.

By default, the self-signed cert created by the Update-M365DSCAzureAdApplication cmdlet does not have a private key. What am I doing wrong?

Answer 1

Duplicate of https://learn.microsoft.com/en-us/answers/questions/2118256/m365dsc-certificate-authentication-fails-with-does