Authorization_RequestDenied when i use certificate (no problem when using secret)

Mountain Pond 1,431 Reputation points
2023-06-04T01:49:43.07+00:00

Hello, tell me please. Why am I not authenticated if I use a certificate.

msedge_W7WcJAc9ra

Working with a secret, everything goes well. Authentication and getting information through Graph. Here example:

$appid = 'xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx'
$tenantid = 'yyyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy'
$secret = 'zzzzzzzzzzzzzzz'
 
$body =  @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $appid
    Client_Secret = $secret
}
 
$connection = Invoke-RestMethod `
    -Uri https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token `
    -Method POST `
    -Body $body
$token = $connection.access_token
 
Connect-MgGraph -AccessToken $token

#The Graph API URL
$uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices "
$method = "GET"
# Run the Graph API query to retrieve users
$output = Invoke-WebRequest -Method $method -Uri $uri -ContentType "application/json" -Headers @{Authorization = "Bearer $token"} -ErrorAction Stop
($output.Content | ConvertFrom-Json).value | Out-GridView

However, if I use a certificate. Then you can connect to Graph successfully. However, when I run queries, I get errors.

Example:

Connect-MgGraph -ClientID 'xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx' -TenantId 'yyyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy' -CertificateThumbprint 'zzzzzzzzzzzzzzz'

$output = Invoke-WebRequest -Method 'GET' -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices"
($output.Content | ConvertFrom-Json).value | Out-GridView


Connect-AzureAD -TenantId 'yyyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy' -ApplicationId  'xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx' -CertificateThumbprint 'zzzzzzzzzzzzzzz'

Get-AzureADUser
Get-AzureADDevice

powershell_ise_D4rlI5glRd

powershell_ise_MAKVPfBcud

powershell_ise_eQ6WWBznWj

powershell_ise_HswyBoYjgo

The authority is enough, but everything works with the secret, but not with the certificate. Perhaps I missed something.

I also wanted to ask if it is possible to authenticate on behalf of the device? This device is not part of Azure (not a VM or a server), but is a security object - Azure AD joined device.

Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,370 questions
0 comments No comments
{count} votes