Azure Automation / runbooks - issue with SP with Thumbprint

[Wopienkaatwork]

Description of the issue

I wanted to run an export from a tenant with the help of a runbook but when i use a service principal I get the following error message:

pulling DSC from Tenant 2024-Apr-11-2004PM Exporting Microsoft 365 configuration for Workloads: AAD Finding all resources for workload {AAD} and Mode {Default} Authentication methods specified:

• Service Principal with Certificate Thumbprint Get-ChildItem : Cannot find path '\LocalMachine\My\xxxxxxxxxxxxx' because it does not exist. At C:\usr\src\PSModules\MSCloudLoginAssistant\Workloads\MicrosoftGraph.psm1:115 char:29

• ... $cert = Get-ChildItem "Cert:\LocalMachine\My$($Global:MSCloudLog ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (\LocalMachine\M...xxxxxxxxxx:String) [Get-ChildItem], ItemNotFoundException
  • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand Partial Export file was saved at: C:\Users\ContainerAdministrator\AppData\Local\Temp\ea76ee5b-6e13-4f2d-babc-a1520bad92f4.partial.ps1

The code I used:

`$creds = Get-AutomationPSCredential -Name "DemoTenant" $path = "$env:TEMP" $Date = $(Get-Date -f yyyy-MMM-dd-HHMMtt)

$ApplicationId = "xxxxxx" $CertificateThumbprint = "xxxxxxx" $TenantId = 'xxxxxxxxxxx.onmicrosoft.com'

write-output "Pulling DSC from Tenant $Date"

Export-M365DSCConfiguration -Workload @("AAD") -path $path -filename "runbook_$date.ps1" *>&1 -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId -generateinfo $true

I already installed all modules (Version 5.1) Is there an option to use runbooks and with SP with thumbprints?

Microsoft 365 DSC Version

1.24.403.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

No response

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

[FabienTschanz]

@Wopienkaatwork The certificate you are using must be imported in the certificate store of the local machine, e.g. using certutil. Below you find an example how I do it on an Azure Runbook Hybrid Worker in System context.

$certPath = "C:\certificate.pfx"
$certificate = Get-PfxCertificate -FilePath $certPath
$thumbPrint = $certificate.Thumbprint
$null = "" | certutil -f -importpfx $certPath NoRoot

Export-M365DSCConfiguration...

The certutil command imports the pfx without the Root certificate in its chain and overwrites any previously existing certificate with that name. You could do this with Import-PfxCertificate as well, but in my case that didn't quite work out. But that's another story.