Exchange Online - Certificate Based Authentication - Step by Step

4 minute read

Microsoft released to GA the new version of Exchange Online Management module, version 2.0.3 at the time this article, which introduces Certificate Based Authentication for PowerShell sessions. Basic Authentication has been already deprecated and originally planned for removal in October 2020 but due CoVid-19 outbreak this has been postponed to 2021 as you can read here.

I have been using the module preview in production for quite some time but held back publishing this article so to have all places in place as GA.

Exchange Online Certificate Based authentication - Register Azure Application

The first step to deploy Certificate Based authentication is to register a new Azure Application. Navigate Azure Active Directory in the Azure portal and select App Registrations (alternatively use the search function which is what I usually do)

Testing clickable images:

In the app registrations under Owned applications we can list all applications that we registered under our account, in my case this is still empty, and under All applications as the name implies all application registered tenant wide.

Click on the New Registration and fill the various fields accordingly, unless you have specific needs all default values should suffice for most configurations/deployments. I am assuming a single tenant deployment in the following example

Once done click on the Register button, provision will only take a couple of seconds.

Note: The only field really needed in the Name one just be sure to choose a descriptive name that is easy for you to remember.

Exchange Online Certificate Based authentication - Grant API Permissions

Once the application has been registered we need to configure/grant API permissions that will define what our application can and cannot do. Either select API Permissions from the left blade or from the link directly below the API properties and select Add permission

From the Request API Permissions scroll all the way down the Supported Legacy APIs and select Exchange, Application Permissions and finally tick Exchange.ManageAsApp under the Exchange section

Note: I will not go into much detail as much has already been written about this but Exchange does not natively support new Graph API that’s why Exchange is listed under Legacy API.

The last step involves clicking the **Grant Admin Consent for ** so that permissions will be deployed for all mailboxes.

Exchange Online Certificate Based authentication - Configure Authentication

With the application created configured in AzureAD we need to configure authentication against AzureAD. When using application permissions model authentication is performed via a client secret, a token, or a certificate. Token authentication is considered, rightly so, less secure for this reason only certificate one is supported by Exchange Online/Microsoft.

In the scope of Exchange OnLine authentication it is unimportant if we’re using a self signed or publicly trusted certificate as long as we have the associated private key.

You can easily create a self-signed certificate via PowerShell with the following command:

$paramNewSelfSignedCertificate = @{
    Subject           = 'Exchange Online Background Process'
    CertStoreLocation = 'cert:\CurrentUser\My'
    KeySpec           = 'KeyExchange'
    FriendlyName      = 'Exchange Online Authentication Certificate'

New-SelfSignedCertificate @paramNewSelfSignedCertificate

# Output
Thumbprint                                Subject
----------                                -------
1B1541D37888EFECD058B528524764G0EF8608D4  CN=Exchange Online Background Process

Note: Certificate will be automatically installed in the local certificate store under User / Personal Certificates and have, by default, validity of 1 year.

Open Certificate Manager MMC console and under Certificates Current User / Personal / Certificates right-click on the certificate and select All Tasks / Export. Just follow the export wizard be sure to select Do not export private key and select CER as the export format.

In the Azure Portal select Certificates and Secretes from the left blade and Upload certificate navigating to the path where the certificate has been exported/stored

Note: Write down the certificate thumbprint displayed in the Azure page as we will need this later on.

Exchange Online Certificate Based authentication - Grant permissions

As I mentioned in the Grant API Permissions paragraph Graph API does not support any Exchange management operations nor we can use Exchange RBAC model as that only applies to user objects not applications, like in our case, which are represented by a Service Principal. What we can do is granting a AzureAD Directory Role to our application Service Principal.

With the Azure AD blade selected go to Roles and administrators and select Exchange Administrator confirming with the Add Assignment button

In Select Member windows you will need to search application by GUID and select it

In the Add Assignment page be sure to select Active under Assignment Type and tick the Permanently Assign checkbox

Once configuration is complete you will see a page similar the following

Where you can review applied configuration and make any required change.

Exchange Online Certificate Based authentication - Testing connection

After all the above components are in place it’s time to test our configuration. Assuming the Exchange Online Management PowerShell module version 2.0.3 is installed we can issue the following command to establish a connection

$paramConnectExchangeOnline = @{
    CertificateThumbprint = $certThumbPrint
    AppId                 = $appId
    Organization          = $exchangeOrgId

Connect-ExchangeOnline @paramConnectExchangeOnline

Where certThumbPrint is the certificate thumbprint we created and uploaded to Azure, appId is the ID of the application we created and exchangeOrgId is the name of the tenant in the form

And here’s the result

Closing notes

This was quite a long post but steps to get up and running with Exchange Online Certificate based authentication are numerous even if not difficult to implement but well worth following.

Certificate Based authentication resolves a number of challenges administrators had to face up to this point, chief among all storing credentials which is inherently insecure.