Introduction
In this Quick PowerShell Post of the Week, we will walk through the process for connecting to Microsoft Teams with Certificate Based Authentication (CBA). CBA use for PowerShell is now a primary concern for Administrators as both a greater concern for security when executing code remotely against a tenant, but as well as a opportunity to get ahead of Microsoft’s Basic Authentication removal from a tenant. While only Exchange Online is affected, putting this in place for all supported workloads, should be a priority for administrators.
Where to Start
In order to do so, first make sure that your Microsoft Teams PowerShell module is 4.7.1-Preview or higher. Below we quickly verify our version, which in this case is 4.9.1 – most current as of this blog post.
Import-Module MicrosoftTeams Get-Module MicrosoftTeams
Once we verify that our module is the correct version, we can check the Connect-MicrosoftTeams cmdlet Help to see if a valid example exist for us to build off of. There is indeed an example in PowerShell help for the cmdlet:
Get-Help Connect-MicrosoftTeams -Examples
Preparation Steps
From the above example we can see we need a Certificate, an Application and finally our tenant ID. First, we can create the Azure App Registration.
Browse to the Azure AD Portal [ aad.portal.azure.com ] and select App Registrations, then click on New Registration:
In the Application Registration page, make sure to provide (1) a name, (2) supported account types and finally (3) add a Web Redirect URI:
Next, we need to add permissions to the Registered App, which according to Microsoft’s documentation is:
For *-Cs cmdlets – the Microsoft Graph API permission needed is Organization.Read.All.
For Non *-Cs cmdlets – the Microsoft Graph API permissions needed are Organization.Read.All, User.Read.All, Group.ReadWrite.All, AppCatalog.ReadWrite.All, TeamSettings.ReadWrite.All, Channel.Delete.All, ChannelSettings.ReadWrite.All, ChannelMember.ReadWrite.All.
On the app, we can add these permissions:
After adding all the permissions, noticed that we still need to grant consent:
Clicking on Grant admin consent, brings up this dialog box:
This will then change the permissions status to Granted for this application.
Remember to pull your Tenant ID (from the Azure AD Overview blade) and the Application ID from the Applications Overview blade as well.
Generating a Certificate for Authentication
$NewCertificate = New-SelfSignedCertificate -DnsName "PowerShellGeek.com" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange $NewCertificate | Export-PfxCertificate -FilePath c:\scripts\MSTeams-PS.pfx -Password (Get-Credential).password Generate CER version of the certificate: $NewCertificate | Export-Certificate -FilePath c:\scipts\MSTeams-PS.cer
Check in the Certificates MMC for the certificate Thumbprint:
Import certificate into the Azure App Registration:
Connecting to Microsoft Teams (All Together Now)
Now that we have an app, a certrificate and all the other IDs, we can now connect with PowerShell with CBA to Microsoft Teams:
Connect-MicrosoftTeams -CertificateThumbprint "E0cbef1311f2e396a8387d1cef09b5908aabf449" -TenantId "5d0cc54e-0082-4eb8-a300-ce17a036f3f4" -ApplicationId "3a0165f7-eb96-4013-8110-f32f79f64603"
Which results in a successful connection:
And off we go to work in the Microsoft Teams PowerShell connection, secured by Certificate Based Authentication.
————————————————————————————————–
See previous Quick PowerShell Posts of the Week [ HERE ]
————————————————————————————————–
Comments? Questions?
Feel free to leave your Comments below! Learn to more efficiently utilize PowerShell to manage Exchange Server, Exchange Online, Microsoft Defender for Office or Microsoft Purview Compliance portals by picking up frequently updated eBooks: