Error connecting using Valid Certiticate thumbprint

[dovelus]

Describe the bug Using APPID connection is not correctly working

To Reproduce Steps to reproduce the behavior:

1. Install powershell 7.4.5
2. Install the modules as described in #99
3. Run .\365Inspect.ps1 -OutPath ..\365_report -UserPrincipalName user@tenant.onmicrosoft.com -Auth APP
4. See error

Screenshots Full Error Certificate in Azure APP Certificate on azure:

Desktop (please complete the following information):

• OS: Windows 11

Additional context To create the app i used this command: Register-PnPEntraIDApp -ApplicationName "PnP Rocks" -Tenant [yourtenant].onmicrosoft.com -OutPath c:\mycertificates -DeviceLogin

[ThoughtContagion]

Just to verify, after creating the certificate, you installed the certificate on the machine you're executing the tool from? You can validate this by using the following command:

Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq $thumbprint }

[dovelus]

I checked the certificates but it seems that the thumbprint is different from my local machine and azure even when i used the same cert

Ok i rerunned the command by suppling the local thumbprint and now it passed the cert check,

[ThoughtContagion]

The PNP documentation states that the provided command creates the certificates and they can be used to authenticate by issuing the certificate path. By installing the .cer version of the generated certificate locally, and ensuring the thumbprint matches what is reflected in the registered application, the thumbprint authentication should work.

In the error messages in your provided screenshots, the service cannot find a matching certificate on the registered application. Based on your provided command, try navigating to c:\mycertificates and uploading the .cer file to the app in your tenant.

If this still fails, it may be better to create your own certificate and upload it to the registered application.

[ThoughtContagion]

You will also want to ensure that you have granted the appropriate application permissions for all other services to the registered application as outlined in the Application Authentication Requirements in this repos README file.

[dovelus]

I created another self signed certificate but the error still remain the same: Now the thumb print are the same:

[ThoughtContagion]

Are you able to connect to the PnP service using this thumbprint?

Connect-PnPOnline -Url "https://[your_org_name]-admin.sharepoint.com" -ClientId $appID -Thumbprint $thumbprint -Tenant [your_tenant_domain]

For example:

Connect-PnPOnline -Url "https://mycompany-admin.sharepoint.com" -ClientId $appID -Thumbprint $thumbprint -Tenant mycompany.com

[dovelus]

Here is the output yep i think her can't find the certificate and just for context the Cert is under APP Registration -> 365 Inspect -> Manage -> Certificates

[ThoughtContagion]

This error appears to be related to your local machine and not the application in Microsoft Entra.

Does this command return any output?

Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq $thumbprint }

[dovelus]

This machine is freshly installed windows VM so i exclude any problem related directly to my system

[ThoughtContagion]

The error in this screenshot appears to be related to the certificate creation.

I would recommend creating a new certificate using the following process:

PowerShell Execution Policy PowerShell Execution Policy on the client machine should be configured to allow the scripts to run. Typically, the Execution Policy should be set to ‘RemoteSigned’. This can be accomplished by running the following command from an administrative PowerShell prompt: Set-ExecutionPolicy RemoteSigned -Force -Confirm:$false

Certificate Creation A certificate is required to run the tool unattended, as it will be used to authenticate the scripts to the tenant. Creating a self-signed certificate is recommended. It is important to note that existing policies on creation and use of self-signed certificates may be prescribed by the organization. While the examples in this document present one possible solution, it is recommended to adhere to established internal policies in creation of the certificate. The .cer certificate should be installed on the machine after creation.

Creation of the certificate can be accomplished via an administrative PowerShell window using the following example commands:

Create certificate

$mycert = New-SelfSignedCertificate -DnsName "Enter your organization here" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange

Export certificate to .pfx file

$mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force)

Export certificate to .cer file

$mycert | Export-Certificate -FilePath mycert.cer Certificate Installation The certificate can be installed on the machine by right-clicking the certificate and selecting Install. The certificate defaults to the Current User Store Location, click Next Click Next ensuring the Certificate Import Wizard radio button selected is Automatically select the certificate store based on the type of certificate Click Finish

[dovelus]

Thanks it worked beautifully the Cert problem is solved.

[ThoughtContagion]

Are the permissions granted using the 'Grant Admin Consent' button? Your application's permissions should look like this: