13,728 questions
Connect-MgGraph : ClientCertificateCredential authentication failed: The certificate certificate does not have a private key.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 33%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Bojan Zivkovic
606
Reputation points
Hi, PS code connecting to MS Graph works fine (inside scheduled task) when run as user is domain admin account:
Connect-MgGraph -TenantId $TenantID -AppId $AppID -Certificate $Cert -NoWelcome
However, when scheduled task is running under gMSA having even full permissions on certificate private key, Connect-MgGraph line above always fails:
Connect-MgGraph : ClientCertificateCredential authentication failed: The certificate certificate does not have a private key.
We always prefer to use gMSAs for scheduled tasks so sorting this out would be great.
Microsoft Security | Microsoft Graph
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 3,841 Reputation points Microsoft External Staff Moderator2025-05-21T06:53:13.08+00:00 Hello Bojan Zivkovic,
The error "The certificate certificate does not have a private key" usually occurs because the gMSA doesn't have access to the certificate's private key, even though the certificate is installed.
- List all certificates in the Personal store with their thumbprints:
Get-ChildItem -Path Cert:\LocalMachine\My | Select-Object Subject, Thumbprint- Load the certificate from
Cert:\LocalMachine\My\<Thumbprint>, notCurrentUser, since gMSAs don’t have a user profile. - Make sure gMSA has access to Private Key.
- Run as:
DOMAIN\<gMSAName>$ - Run with highest privileges
Now Connect to Graph:
$cert = Get-Item "Cert:\LocalMachine\My\<Thumbprint>" Connect-MgGraph -TenantId $TenantID -ClientId $AppID -Certificate $cert -NoWelcomeKindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
-
Rukmini 3,841 Reputation points Microsoft External Staff Moderator
2025-05-22T03:48:50.6466667+00:00 Hello Bojan Zivkovic, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
Bojan Zivkovic 606 Reputation points
2025-05-22T08:12:47.56+00:00 Everything you wrote above I had done prior to posting this question - according to the code debugging gMSA has access to private key but error still persists (gMSA has read access on certificate private key - explicitly assigned).
Sign in to comment
Sign in to answer