Connect-MgGraph Not Connecting

Product: PowerShell Universal
Version: 3.5.5
Environment: Windows PowerShell 5.1
Credential: localCredentials (a local user defined as a Secret with access to the Certificate I'm using)

Since upgrading to 3.5.5, I’ve been unable to connect to the PowerShell Graph SDK. Running the same cmdlet/parameters locally as a the account I’m running As in the script works. Here’s what I’m running:

try{
    Write-Host "Connecting to Graph App ID: $secret:appID on Tenant ID: $clientTenantId with thumbprint: $secret:graphCertThumbprint"
$null = Connect-MgGraph -AppId $secret:appID -TenantID $clientTenantId -CertificateThumbprint $secret:graphCertThumbprint -ErrorAction Stop
Write-Host "Connected to Graph"
}
catch{
    Write-Warning $Error[0]
    Write-Host "Unable to Connect to Graph; exiting"
}

I added the Write-Host at the beginning to make sure it’s pulling the appID and Cert Thumbprint properly from my secret store. I’m running this as a local, non-admin user. This script worked when I was on 3.3.7. I’ve upgraded a few times since then but hadn’t specifically tested this script and it doesn’t look like it’s been called in a while, so I don’t know when it broke.

The error I get is:

The system cannot find the file specified.

I don’t know what file it’d be looking for. The Graph module is installed and PSU sees it. I tried explicitly importing Microsoft.Graph.Identity.DirectoryManagement, but that didn’t make a difference.

I have another script that uses a certificate to connect to SharePoint via Connect-PnPOnline and that works fine so it doesn’t appear to be anything related to the Secrets/Certificates

Anyone else have Connect-MgGraph working in 3.5.5?

Thanks!

The Certificate is stored in the User Store yes?

open Unable to authenticate using Connect-MgGraph with certificate on Windows Server or Azure HybridWoker error is “certificate was not found or has expired.” · Issue #675 · microsoftgraph/msgraph-sdk-powershell · GitHub

Yes, it’s stored in the User Store (Cert:\CurrentUser\My). I’ll update my script to test if it can find the cert. That might explain why I’m getting the “not found” error. I was only testing to confirm it was using the correct thumbprint.

Thank you!

Personally, I store the certificate path as a $Secret:. I then call

Connect-MgGraph -AppId $secret:appID -TenantID $clientTenantId -Certificate (Get-Item $Secret:MyCertificate)

@Jori does that work for you on 3.5.5? I just did exactly that and it fails. I confirmed with an earlier Try-Catch that it finds the certificate successfully (so it’s properly connecting to the cert store), but fails on Connect-MgGraph with that cert. It had been working with no changes to this script in months, which is why I’m so confused. And it works with the SharePoint PnP Module (different cert and app, same store though)

Since i needed to move on with this, i just switched over to Access Token authentication instead of Certificate and that’s working for now.

Thanks for the help/advice!

For this to work I had to put the cert in the certificate store for the user account that the Powershell universal service runs as, if thats the localsystem account then you need to use something like psexec to open a command prompt under that user’s context then launch the certificate snapin from there.

This is true. Though if it’s the local system account then you can just open up the Computers Certificates and give the PSU account read access to the certificate.