SOLVED! M365DSC certificate authentication fails with "does not have a private key" error

Shawn Goodwin 176 Reputation points
2024-11-12T16:02:46.0466667+00:00

I am deploying an M365DSC infra for my org. I've followed the pre-requisites and installed and updated DSC on a stand-alone Azure VM. I intend to use certificate authentication and created the EntraID application using the Update-M365DSCAzureAdApplication cmdlet. I am a Global Admin and ran this command using my creds and permissions.

PS C:\Windows\System32> Update-M365DSCAzureAdApplication
>> -ApplicationName 'Microsoft365DSC' 
>> -AdminConsent
>> -Type Certificate
>> -CreateSelfSignedCertificate
>> -CertificatePath C:\temp\M365DSC.cer
>> -Permissions @(
>> @{Api='Graph';PermissionName='User.Read.All'},
>> @{Api='Graph';PermissionName='UserAuthenticationMethod.Read.All'},
>> ......lots of permissions.....
>> )

The cert gets created and I install the cert to the User Personal store. (I know the instructions on the official documentation say to install the cert to the LocalMachine Personal store, but I was having connection problems and found that the Connect-MgGraph cmdlet only looks for certs in the User Personal store, so I installed the cert in both locations).

I connect using the following values:

$TenantId='mycompany.onmicrosoft.com'
$AppId='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
$CertThumbprint='xxx....'  #cert thumprint copied from certificate entry in EntraID Application.

I am trying to connect with connect-mggraph -ApplicationId $AppId -CertificateThumbprint $CertThumbprint -TenantId $TenantId

Each time I try to connect, I get the following error; Connect-MgGraph: ClientCertificateCredential authentication failed: The certificate certificate does not have a private key.

By default, the cert created by the Update-M365DSCAzureAdApplication cmdlet does not have a private key. What am I doing wrong?

edit: clarity

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,563 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 47,056 Reputation points
    2024-11-12T20:01:09.5266667+00:00

    I think this addresses your problem: https://github.com/microsoft/Microsoft365DSC/issues/2910


  2. Shawn Goodwin 176 Reputation points
    2024-11-13T22:21:28.5566667+00:00

    SOLVED!! Turns out PowerShell 7 is the culprit here. I was executing all previous commands using PowerShell 7.4 (because that's my preferred version). I took all the steps required to use PS7+, per https://microsoft365dsc.com/user-guide/get-started/powershell7-support/.

    On the EntraID App, I deleted all permissions and the previous certificate. I executed the same Update-M365DSCAzureAdApplication command using PowerShell 5.1. The cert was created and the same permissions assigned. I installed the cert to the user store and executed the Export-M365DSCConfiguration command. It authenticated successfully and exported the requested items.

    I then opened another PS7 session and executed the same Export command, and it successfully authenticated with the same cert thumbprint; no other changes were made!

    It would seem that the self-signed cert created under the PS7 session somehow differs than the one created under the PS5 session. I reported this to the devs on GitHub. Hopefully, this little knowledge-nugget makes its way into the documentation.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.