This article will show how to connect to Microsoft Graph API using a certificate from a Windows WSL running Ubuntu.
Microsoft Graph API gives us API access to manage and create resources across Azure and Microsoft 365 programmatically using C#, Python and even the Graph API PowerShell module.
Authentication
When it comes to authentication, we have two options. The 1st is delegated access (User), where we authenticate using a username and password. The 2nd option is using Acces Token or Certificate (App only).
The most secure method to connect to Graph API is using a certificate, and in this post, we will go through the process of creating a certificate and using it to connect.
Before you start, ensure you have an Active Directory App Registration configured with API permission. For more details on creating one, visit the following post we published.
Create a Certificate
Use the PowerShell script to create an SSL certificate on WSL or other Linux distribution.
Note – To run the script, you must install PowerShell 7. To install PowerShell visit the following article we previously published.
Note – Using the cmdlet below, you must also install the Graph API PowerShell module.
Install-Module -Name Microsoft.Graph
The code is shown below (Modify paths and names as needed)
$CertPath = 'Enter Path'
$CertKey = $CertPath + 'key.pem'
$CertPublic = $CertPath + 'cert.pem'
$CertMerge = $CertPath + 'merged.pfx'
$CertPass = 'Enter Cert Password'
$CertExpire = 365
$CertName = 'AuditSPN' + $(Get-Date -UFormat "%Y%m%d%H%S")
# Generate new certificate and convert it to pfx format
openssl req -newkey rsa:2048 -new -nodes -x509 -days $CertExpire -keyout $CertKey -out $CertPublic -subj "/C=LV/ST=Some-State/L=LV/O=$CertName/OU=IT"
openssl pkcs12 -in $CertPublic -inkey $CertKey -export -out $CertMerge -passout pass:$CertPass
# Store certificate in certificate store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertMerge, $CertPass, $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
# Get cert thumbprint
$CertValue = [Convert]::ToBase64String($Certificate.GetRawCertData())
$Thumbprint = $Certificate.Thumbprint
write-host $Thumbprint
Important – After you run the script, note down the certificate Thumbprint
Upload Certificate
Before we connect to Graph API, we need to upload the certificate we have created (cert.pem) to our Azure App Registration certificate section. Go ahead and upload the certificate.
Connect
Once the certificate has been uploaded, use the command below with your App Registration details and cert thumbprint.
Connect-MgGraph -ClientID “ClientID -TenantId “TenantID” -CertificateThumbprint “thumbprint”
Trying this with pwsh on Linux, the line:
[System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertMerge, $CertPass, $Flag)
threw a spurious openssl error indicating the file wasn’t found. However, it works if you call it with just the first two parameters.
Thanks for the tips! I was able to authenticate via cert using this process.