I have setup a PowerShell script to read audit logs using the O365 Management API. It works well but rather than using the Azure AD app's client secret, I would prefer to use a certificate to authenticate, as is possible with MSAL.
In the documentation it only covers the app secret:
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
ref - https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api