Connect To Microsoft Graph API Using Certificate From Linux

This article will show how to connect to Microsoft Graph API using a certificate from a Windows WSL running Ubuntu.

Microsoft Graph API gives us API access to manage and create resources across Azure and Microsoft 365 programmatically using C#, Python and even the Graph API PowerShell module.

Authentication

When it comes to authentication, we have two options. The 1st is delegated access (User), where we authenticate using a username and password. The 2nd option is using Acces Token or Certificate (App only).

The most secure method to connect to Graph API is using a certificate, and in this post, we will go through the process of creating a certificate and using it to connect.

Before you start, ensure you have an Active Directory App Registration configured with API permission. For more details on creating one, visit the following post we published.

Create a Certificate

Use the PowerShell script to create an SSL certificate on WSL or other Linux distribution.

Note – To run the script, you must install PowerShell 7. To install PowerShell visit the following article we previously published.

Note – Using the cmdlet below, you must also install the Graph API PowerShell module.

Install-Module -Name Microsoft.Graph

The code is shown below (Modify paths and names as needed)

$CertPath = 'Enter Path'
$CertKey = $CertPath + 'key.pem'
$CertPublic = $CertPath + 'cert.pem'
$CertMerge = $CertPath + 'merged.pfx'
$CertPass = 'Enter Cert Password'
$CertExpire = 365
$CertName = 'AuditSPN' + $(Get-Date -UFormat "%Y%m%d%H%S")

# Generate new certificate and convert it to pfx format
openssl req -newkey rsa:2048 -new -nodes -x509 -days $CertExpire -keyout $CertKey -out $CertPublic -subj "/C=LV/ST=Some-State/L=LV/O=$CertName/OU=IT"
openssl pkcs12 -in $CertPublic -inkey $CertKey -export -out $CertMerge -passout pass:$CertPass

# Store certificate in certificate store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My 
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation) 
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertMerge, $CertPass, $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close() 

# Get cert thumbprint
$CertValue = [Convert]::ToBase64String($Certificate.GetRawCertData())
$Thumbprint = $Certificate.Thumbprint
write-host $Thumbprint

Important – After you run the script, note down the certificate Thumbprint

Upload Certificate

Before we connect to Graph API, we need to upload the certificate we have created (cert.pem) to our Azure App Registration certificate section. Go ahead and upload the certificate.

Connect

Once the certificate has been uploaded, use the command below with your App Registration details and cert thumbprint.

Connect-MgGraph -ClientID “ClientID -TenantId “TenantID” -CertificateThumbprint “thumbprint”

Posted

in

, , , , ,

by

NTW – Content Network

Comments

One response to “Connect To Microsoft Graph API Using Certificate From Linux”

  1. Evil Avatar
    Evil

    Trying this with pwsh on Linux, the line:

    [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertMerge, $CertPass, $Flag)

    threw a spurious openssl error indicating the file wasn’t found. However, it works if you call it with just the first two parameters.

    Thanks for the tips! I was able to authenticate via cert using this process.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.