Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Automation / runbooks - issue with SP with Thumbprint #4548

Open
Wopienkaatwork opened this issue Apr 11, 2024 · 1 comment
Open

Azure Automation / runbooks - issue with SP with Thumbprint #4548

Wopienkaatwork opened this issue Apr 11, 2024 · 1 comment

Comments

@Wopienkaatwork
Copy link

Description of the issue

I wanted to run an export from a tenant with the help of a runbook but when i use a service principal I get the following error message:

pulling DSC from Tenant 2024-Apr-11-2004PM
Exporting Microsoft 365 configuration for Workloads: AAD
Finding all resources for workload {AAD} and Mode {Default}
Authentication methods specified:

  • Service Principal with Certificate Thumbprint
    Get-ChildItem : Cannot find path '\LocalMachine\My\xxxxxxxxxxxxx' because it does not exist.
    At C:\usr\src\PSModules\MSCloudLoginAssistant\Workloads\MicrosoftGraph.psm1:115 char:29
  • ... $cert = Get-ChildItem "Cert:\LocalMachine\My$($Global:MSCloudLog ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : ObjectNotFound: (\LocalMachine\M...xxxxxxxxxx:String) [Get-ChildItem],
      ItemNotFoundException
    • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
      Partial Export file was saved at:
      C:\Users\ContainerAdministrator\AppData\Local\Temp\ea76ee5b-6e13-4f2d-babc-a1520bad92f4.partial.ps1

The code I used:

`$creds = Get-AutomationPSCredential -Name "DemoTenant"
$path = "$env:TEMP"
$Date = $(Get-Date -f yyyy-MMM-dd-HHMMtt)

$ApplicationId = "xxxxxx"
$CertificateThumbprint = "xxxxxxx"
$TenantId = 'xxxxxxxxxxx.onmicrosoft.com'

write-output "Pulling DSC from Tenant $Date"

Export-M365DSCConfiguration -Workload @("AAD") -path $path -filename "runbook_$date.ps1" *>&1 -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId -generateinfo $true

I already installed all modules (Version 5.1)
Is there an option to use runbooks and with SP with thumbprints?

Microsoft 365 DSC Version

1.24.403.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

No response

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response
@FabienTschanz
Copy link
Contributor

@Wopienkaatwork The certificate you are using must be imported in the certificate store of the local machine, e.g. using certutil. Below you find an example how I do it on an Azure Runbook Hybrid Worker in System context.

$certPath = "C:\certificate.pfx"
$certificate = Get-PfxCertificate -FilePath $certPath
$thumbPrint = $certificate.Thumbprint
$null = "" | certutil -f -importpfx $certPath NoRoot

Export-M365DSCConfiguration...

The certutil command imports the pfx without the Root certificate in its chain and overwrites any previously existing certificate with that name. You could do this with Import-PfxCertificate as well, but in my case that didn't quite work out. But that's another story.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FabienTschanz @Wopienkaatwork