-
Notifications
You must be signed in to change notification settings - Fork 249
Certificate based authentication for SharePoint Online
o365-connect-spo-cert.ps1 manages certificate-based authentication for SharePoint Online (SPO) admin access.
It supports two exclusive modes:
-
-GenerateLocalCertificate: create a local certificate (and optional PFX), with optional Entra app provisioning. -
-UseCertificateAuth: connect to SPO Admin Center using app + certificate authentication.
At runtime the script:
- Resolves runtime paths relative to the script location.
- Ensures the SharePoint Online module is installed, optionally updated, and imported.
- Validates that
Connect-SPOServicesupports certificate-auth parameters. - Runs exactly one mode (
GenerateLocalCertificateorUseCertificateAuth). - Handles errors with targeted troubleshooting hints.
- Returns
0on success and1on failure.
- Windows PowerShell 5.1 or PowerShell 7+.
- Elevated permissions may be required for module install/update.
microsoft.online.sharepoint.powershell
The script can install/update this module automatically unless -noupdate is used.
The operator signing in with device code must be able to:
- Create/update Entra applications and service principals.
- Grant admin consent app roles.
Provisioning requests these application permissions for the created app:
- SharePoint Online:
Sites.FullControl.All - Microsoft Graph:
Application.Read.All
-GenerateLocalCertificate-UseCertificateAuth
Exactly one must be specified.
-
-noprompt: non-interactive operation where possible. -
-noupdate: skip module version check/update. -
-enableLog: start transcript logging too365-connect-spo-admin.txtin the parent folder of the script directory.
-
-GeneratedCertSubject(default:O365-SPO-AppAuth) -
-GeneratedCertYearsValid(default:2) -
-GeneratedCertOutputPath(default: parent of script directory) -ExportGeneratedPfx-GeneratedPfxPassword
-Tenant-ProfileName-
-AdminUrl(for examplehttps://contoso-admin.sharepoint.com) -AppId-CertificateThumbprint-CertificateMapPath
-ProvisionEntraApp-AppDisplayName-
-SetupClientId(default device-code client ID) -CopyDeviceCodeToClipboard
When -CertificateMapPath is not provided, the script searches these locations (in order):
-
cert-export/o365-spo-admin-cert-auth.jsonin script parent directory -
o365-spo-admin-cert-auth.jsonin script parent directory -
cert-export/o365-spo-admin-cert-auth.jsonin script directory -
o365-spo-admin-cert-auth.jsonin script directory
If none exist, default write target is:
-
cert-export/o365-spo-admin-cert-auth.jsonin script parent directory
Expected profile fields:
nametenantadminUrlappIdcertificateThumbprintpfxPath
.\o365-connect-spo-cert.ps1 -GenerateLocalCertificate- Self-signed cert in
Cert:\CurrentUser\My - Exported
.cer - Optional exported
.pfx
.\o365-connect-spo-cert.ps1 `
-GenerateLocalCertificate `
-ProvisionEntraApp `
-Tenant contoso.onmicrosoft.com `
-AdminUrl https://contoso-admin.sharepoint.com `
-AppDisplayName O365-SPO-AppAuth-Contoso `
-ExportGeneratedPfxProvisioning flow:
- Device-code sign-in to Microsoft Graph.
- Resolve SPO and Graph service principals.
- Create or reuse app registration.
- Upload certificate to app key credentials.
- Create/reuse service principal.
- Grant
Sites.FullControl.AllandApplication.Read.All. - Upsert JSON profile map entry atomically.
Important operational note:
- New app role grants may take about 15-30 minutes to replicate.
.\o365-connect-spo-cert.ps1 -UseCertificateAuth -Tenant contoso.onmicrosoft.com.\o365-connect-spo-cert.ps1 `
-UseCertificateAuth `
-Tenant contoso.onmicrosoft.com `
-AdminUrl https://contoso-admin.sharepoint.com `
-AppId 11111111-2222-3333-4444-555555555555 `
-CertificateThumbprint ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234Connection flow:
- Resolve profile data from JSON map (if available).
- Fill missing values from profile.
- Derive
AdminUrlfrom tenant if possible. - Resolve certificate from local stores (
CurrentUser\My, thenLocalMachine\My). - If not found, attempt PFX import from candidate paths.
- Validate private key presence and expiration.
- Disconnect existing SPO session (if any).
- Connect with
Connect-SPOServiceusing best available certificate parameter set. - Print connected center + certificate/app details.
Use -noprompt for unattended runs. Combine with explicit parameters to avoid selection prompts:
.\o365-connect-spo-cert.ps1 `
-UseCertificateAuth `
-noprompt `
-Tenant contoso.onmicrosoft.com `
-AdminUrl https://contoso-admin.sharepoint.com `
-AppId 11111111-2222-3333-4444-555555555555 `
-CertificateThumbprint ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234Enable with:
.\o365-connect-spo-cert.ps1 -UseCertificateAuth -enableLogLog file:
-
o365-connect-spo-admin.txtin script parent directory
Because the script is declared with CmdletBinding(), use:
.\o365-connect-spo-cert.ps1 -UseCertificateAuth -Verbose -Debug- Symptom: certificate-auth parameters not available on
Connect-SPOService. - Action: update
microsoft.online.sharepoint.powershelland rerun.
- Symptom: thumbprint resolution or private key errors.
- Action: ensure cert exists in
CurrentUser\MyorLocalMachine\Myand includes private key; import matching PFX if needed.
- Symptom: access denied or insufficient privileges immediately after provisioning.
- Action: wait 15-30 minutes for RBAC replication, then retry.
- Symptom: missing one or more of
Tenant,AdminUrl,AppId,CertificateThumbprint. - Action: supply directly or via a valid profile in the certificate map JSON.
- Keep PFX files secured and remove unneeded exports.
- Rotate certificates before expiry (script warns at 30 days).
- Use distinct app display names per tenant/environment.
- Prefer profile map entries for repeatable operations.
- Use
-noprompt+ explicit inputs for scheduled automation.
# Generate cert only
.\o365-connect-spo-cert.ps1 -GenerateLocalCertificate
# Generate cert + provision app + profile map
.\o365-connect-spo-cert.ps1 -GenerateLocalCertificate -ProvisionEntraApp -Tenant contoso.onmicrosoft.com -AdminUrl https://contoso-admin.sharepoint.com -ExportGeneratedPfx
# Connect using profile map lookup
.\o365-connect-spo-cert.ps1 -UseCertificateAuth -Tenant contoso.onmicrosoft.com
# Connect with explicit values
.\o365-connect-spo-cert.ps1 -UseCertificateAuth -Tenant contoso.onmicrosoft.com -AdminUrl https://contoso-admin.sharepoint.com -AppId <app-id> -CertificateThumbprint <thumbprint>