Bug: Certificate-based authentication (P12) with --azuread fails

[Leightonish]

Hi Vincent,

I am experiencing issues with PingCastle and Azure Active Directory certificate-based authentication (P12).

In essence, the authentication seems to be successful, but I am not authorized to read anything from the directory. The Global Reader role has been assigned to the Service Principal. However, I am facing a persistent 401 Unauthorized error when attempting to perform a scan.

(Also confirmed to be a bug after reaching out to support)

There is currently a bug. We are working on finding a workaround for certificate authentication.

The error log is as follows:

PS> PingCastle.exe --azuread --clientid redacted --tenantid redacted --p12-file certificate.pfx --p12-pass redacted Starting the task: Analyze [08:01:28] Starting [08:01:28] Authenticate [08:01:28] DNS Domains [08:01:29] Exception when doing DNS Domains [08:01:29] The creator of this fault did not specify a Reason. [08:01:29] Continuing [08:01:29] Known tenant [08:01:29] Exception when doing Known tenant [08:01:29] Response status code does not indicate success: 401 (Unauthorized). [08:01:29] Continuing [08:01:29] Get Configuration [08:01:29] Company Info [08:01:29] Exception when doing Company Info [08:01:29] The creator of this fault did not specify a Reason. [08:01:29] Continuing [08:01:29] UsersPermissionToReadOtherUsersEnabled is False. Only an admin will be able to analyze users & admins [08:01:29] Policies [08:01:29] Exception when doing Policies [08:01:29] Error when calling https://graph.windows.net:443/redacted/policies?api-version=1.61-internal : Access denied to the specified API version. [08:01:29] Continuing [08:01:29] AD Connect [08:01:30] Exception when doing AD Connect [08:01:30] Response status code does not indicate success: 401 (Unauthorized). [08:01:30] Continuing [08:01:30] Applications and permissions [08:01:30] Exception when doing Applications and permissions [08:01:30] Error when calling https://graph.windows.net:443/redacted/servicePrincipals?api-version=1.61-internal : Access denied to the specified API version. [08:01:30] Continuing [08:01:30] Roles [08:01:30] Exception when doing Roles [08:01:30] The creator of this fault did not specify a Reason. [08:01:30] Continuing [08:01:30] Foreign domains [08:01:30] Outlook online Error: unauthorized_client Description: AADSTS700016: Application with identifier 'redacted' was not found in the directory 'Microsoft Services'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. [08:01:30] Exception when doing Outlook online [08:01:30] Response status code does not indicate success: 400 (Bad Request). [08:01:30] Continuing [08:01:30] Computing risks [08:01:30] Done [08:01:30] An exception occured when doing the task: Analyze