13,734 questions
Authorization_RequestDenied when i use certificate (no problem when using secret)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Mountain Pond
1,576
Reputation points
Hello, tell me please. Why am I not authenticated if I use a certificate.
Working with a secret, everything goes well. Authentication and getting information through Graph. Here example:
$appid = 'xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx'
$tenantid = 'yyyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy'
$secret = 'zzzzzzzzzzzzzzz'
$body = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $appid
Client_Secret = $secret
}
$connection = Invoke-RestMethod `
-Uri https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token `
-Method POST `
-Body $body
$token = $connection.access_token
Connect-MgGraph -AccessToken $token
#The Graph API URL
$uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices "
$method = "GET"
# Run the Graph API query to retrieve users
$output = Invoke-WebRequest -Method $method -Uri $uri -ContentType "application/json" -Headers @{Authorization = "Bearer $token"} -ErrorAction Stop
($output.Content | ConvertFrom-Json).value | Out-GridView
However, if I use a certificate. Then you can connect to Graph successfully. However, when I run queries, I get errors.
Example:
Connect-MgGraph -ClientID 'xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx' -TenantId 'yyyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy' -CertificateThumbprint 'zzzzzzzzzzzzzzz'
$output = Invoke-WebRequest -Method 'GET' -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices"
($output.Content | ConvertFrom-Json).value | Out-GridView
Connect-AzureAD -TenantId 'yyyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy' -ApplicationId 'xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx' -CertificateThumbprint 'zzzzzzzzzzzzzzz'
Get-AzureADUser
Get-AzureADDevice
The authority is enough, but everything works with the secret, but not with the certificate. Perhaps I missed something.
I also wanted to ask if it is possible to authenticate on behalf of the device? This device is not part of Azure (not a VM or a server), but is a security object - Azure AD joined device.
Thank you.
Microsoft Security | Microsoft Graph
Sign in to answer