Hot to add a custom Cert to a Service Principal for passwordless Authentication

In a world where security is becoming more critical and traditional passwords are increasingly seen as weak links, passwordless authentication is a powerful advancement. One often overlooked yet effective method to implement this in Azure environments is by binding a custom certificate to an Azure App Registration (App Principal). In this post, I’ll walk you through how to configure this setup, using a developer-centric approach.

Why Go Passwordless?

Let’s start with the core question: why should you care?

Passwordless authentication improves security posture by eliminating the risks associated with password reuse, phishing attacks, and credential leaks. When combined with strong cryptographic identities like certificates, it ensures that only devices with a valid private key can access your Azure resources.

Use Case

We want an application (or automation script) to authenticate securely to Microsoft Graph or any other Azure service—without using a client secret or user credentials. Instead, we’ll use a certificate installed locally.

This is especially useful for:

• Automation tools (e.g., PowerShell or Python scripts),
• CI/CD pipelines,
• Background services that require continuous access to Microsoft resources.

Step-by-Step Guide

1. Generate or Obtain a Certificate

You can either generate a self-signed certificate or use an existing one issued by a trusted CA.

Option A: Create a Self-Signed Certificate via PowerShell

$cert = New-SelfSignedCertificate `
  -Subject "CN=MyAppCert" `
  -CertStoreLocation "Cert:\CurrentUser\My" `
  -KeyExportPolicy Exportable `
  -KeySpec Signature `
  -KeyLength 2048 `
  -NotAfter (Get-Date).AddYears(3)

Export the .cer (public) and .pfx (private) files:

Export-Certificate -Cert $cert -FilePath "C:\temp\MyAppCert.cer"
Export-PfxCertificate -Cert $cert -FilePath "C:\temp\MyAppCert.pfx" -Password (ConvertTo-SecureString -String "yourPassword" -Force -AsPlainText)

2. Add the Certificate to Your App Registration

Navigate to the Azure Portal → Azure Active Directory → App registrations → Your App → Certificates & secrets.

Upload your .cer file under "Certificates". Azure will extract the thumbprint and associate it with the App.

📌 Only the public part of the certificate is stored in Azure. Keep your private key secure!

3. Configure Application Permissions

Depending on what your app needs to do, go to API permissions and add either:

• Delegated permissions (on behalf of a user), or
• Application permissions (app-only access).

Don't forget to click "Grant admin consent" if required.

4. Acquire a Token Using the Certificate

Here’s an example using PowerShell and the Microsoft.Identity.Client (MSAL) library:

$tenantId = "your-tenant-id"
$clientId = "your-app-id"
$certPath = "C:\temp\MyAppCert.pfx"
$certPassword = ConvertTo-SecureString -String "yourPassword" -AsPlainText -Force

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath, $certPassword)

$app = [Microsoft.Identity.Client.ConfidentialClientApplicationBuilder]::Create($clientId)
    .WithCertificate($cert)
    .WithAuthority("https://login.microsoftonline.com/$tenantId")
    .Build()

$token = $app.AcquireTokenForClient(@("https://graph.microsoft.com/.default")).ExecuteAsync().Result
$token.AccessToken

5. Call the Microsoft Graph API

Now that you have the token, you can use it in your API calls:

powershellKopierenBearbeitenInvoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" `
-Headers @{Authorization = "Bearer $($token.AccessToken)"} `
-Method GET

And just like that, your application is running without any passwords involved.

Common Pitfalls

• ❌ Wrong Certificate Format: Make sure you use .cer for Azure and .pfx for your app.
• ❌ Time Skew: Certificates have time-based validity. Ensure your local clock is synced.
• ❌ Insufficient Permissions: Don’t forget to configure and consent to API permissions.

Final Thoughts

This setup not only eliminates secrets from your configuration files but also strengthens your application’s security. In times where secrets get leaked in Git repos and attackers automate credential spraying, passwordless authentication via certificates is the future-proof approach every technical team should adopt.

If this guide helped you or sparked ideas on hardening your authentication architecture, feel free to share it with your team or let’s connect to discuss advanced identity management strategies.

🛡️ Stay secure and code smart.