Entra ID SaaS - Exchange Online with Certificate Based Authentication

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello everyone,
Has anyone ever tried to use in Entra ID SaaS the Certificate Based Authentication for the Exchange Online feature management?
I have configured the connector exactly as expected, the Entra ID connection works but when I configure Exchange Online feature I get a timeout error.
I tested the Exchange connection separately on my machine to verify that through Exchange Powershell the certificate authentication details I have will work.

However, I am still getting a timeout issue in ISC, and even after increasing the timeout settings, it is still failing.

I have checked via CLI the logs and this is what I am getting after testing the connection (and after receiving 200 HTTP Code from Entra ID itself):

[2025-05-15T11:45:32.878+02:00] INFO  | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"TestConnection :: Connecting to ExchangeOnline to validate ExchangeConfiguration...","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.878+02:00] INFO  | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Preparing instance for ExchangeOnlinePowershell instance...","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.878+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Application configuration is using: CERTIFICATE_BASED_AUTHENTICATION","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.878+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Building exchange configuration instance...","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.878+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Building Certificate Based Authentication Exchange Configuration","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.879+02:00] INFO  | connectorMessage ▶︎ {"commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Executable PATH :: /usr/bin/pwsh","requestId":"468c87df5ac5461cbe1d4f51637a685d","version":38}
[2025-05-15T11:45:32.881+02:00] INFO  | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Spawning process: pwsh","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.881+02:00] INFO  | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Spawning process successful for : pwsh Process ID is: 252","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.881+02:00] INFO  | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Connecting to Exchange Online. Configured Authentication method is: CERTIFICATE_BASED_AUTHENTICATION","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:45:32.881+02:00] INFO  | connectorMessage ▶︎ {"AppType":"Microsoft Entra","commandType":"std:test-connection","invocationId":"8f5448db-1b98-4efe-a734-05c8b553777e","message":"Executing command: Connetor-Command : Set-Certificate","requestId":"468c87df5ac5461cbe1d4f51637a685d","timestamp":"2025-05-15T09:44:21.035Z","version":38}
[2025-05-15T11:48:20.350+02:00] INFO  | commandOutcome   ▶︎ Command failed with [ConnectorError] command canceled or expired: std:test-connection, for connector version 38. output_count=0 output_bytes=0 keep_alive_count=0 state_count=0. Elapsed time 240061ms
[2025-05-15T11:49:32.852+02:00] INFO  | commandOutcome   ▶︎ Command failed with [ConnectorError] command canceled or expired: std:test-connection, for connector version 38. output_count=0 output_bytes=0 keep_alive_count=0 state_count=0. Elapsed time 240119ms
2

Make sure to follow the instructions for “Certificate Based Authentication” on Exchange Online Management

We initially had issues getting this working, it was due to the PFX being converted to Base64 incorrectly.

3

The issue is not in certificate validity or Entra ID token issuance

  1. Missing ExchangeOnlineManagement Module
    Ensure the Exchange Online PowerShell module (ExchangeOnlineManagement) is installed within the connector’s runtime environment.
    It should be >= v3.0.0 to support CBA.
    Run inside the connector shell or container:
    powershell
    Get-Module ExchangeOnlineManagement -ListAvailable
    If missing, install:
    powershell
    Install-Module ExchangeOnlineManagement -Scope AllUsers -Force

  2. PowerShell Execution Context
    You’re calling /usr/bin/pwsh — ensure:
    The script uses correct syntax for CBA:
    powershell
    Connect-ExchangeOnline -AppId -Organization .onmicrosoft.com -CertificateThumbprint
    Certificates are accessible to the PowerShell runtime from the cert store or mounted securely (if in a container, this often breaks).
    If it’s Linux-based and pwsh is used, ensure:
    Certificate is in a PEM or PFX format, accessible in the right path.
    Permissions allow pwsh to read the cert file.

  3. Network Access to Exchange Online
    Test if the container or host running the connector can reach Exchange Online endpoints:
    bash
    curl https://outlook.office365.com/powershell-liveid/
    Or, from PowerShell:
    powershell
    Test-NetConnection outlook.office365.com -Port 443
    Timeouts often mean:
    Proxy issues
    Firewall blocks
    DNS resolution problems
    Certificate trust chain issues

  4. Certificate Format or Permissions Issues
    Double-check:
    Thumbprint is correct
    Certificate is not password protected (for CBA in automation)
    Validity period is current
    The private key is marked exportable (for use in non-Windows environments)

  5. Connector Timeout Configuration
    Even though you’ve increased timeout settings, validate if:
    You’re modifying the correct config value (some tools have both global and feature-specific timeouts).
    There are internal process-level timeouts that might kill pwsh prematurely — e.g., if no stdout is returned, some orchestrators think the command is “stuck”.

6.Non windows
If you’re running in non-Windows environments, you might need to import the certificate using:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import(“”, $null, “Exportable,PersistKeySet”)
Connect-ExchangeOnline -Certificate $cert -AppId -Organization

2 Likes
4

Hello, I see… In our case, we have followed and used exactly the same commands that are in the Sailpoint documentation and the referenced links
The main issue here is that the test connection is not even reaching Exchange Online as we do not see any logs that may suggest that the call is getting blocked by a wrong certificate.

5

Hello, we do not have access to the SaaS connector or its runtime environment so we cannot test those, but I would like to hope that this has been verified by Sailpoint before making the connector available.
Concerning the certificate, we have tested its validity by running the Exchange powershell commands on our side without passing through the Sailpoint SaaS connector, and it worked.
As mentioned in my previous comment, the Sailpoint ISC test connection is not even reaching Exchange Online as we do not see any logs that may suggest that the call is getting blocked by a wrong certificate.