Entra ID SaaS - Exchange Online with Certificate Based Authentication

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
3

The issue is not in certificate validity or Entra ID token issuance

  1. Missing ExchangeOnlineManagement Module
    Ensure the Exchange Online PowerShell module (ExchangeOnlineManagement) is installed within the connector’s runtime environment.
    It should be >= v3.0.0 to support CBA.
    Run inside the connector shell or container:
    powershell
    Get-Module ExchangeOnlineManagement -ListAvailable
    If missing, install:
    powershell
    Install-Module ExchangeOnlineManagement -Scope AllUsers -Force

  2. PowerShell Execution Context
    You’re calling /usr/bin/pwsh — ensure:
    The script uses correct syntax for CBA:
    powershell
    Connect-ExchangeOnline -AppId -Organization .onmicrosoft.com -CertificateThumbprint
    Certificates are accessible to the PowerShell runtime from the cert store or mounted securely (if in a container, this often breaks).
    If it’s Linux-based and pwsh is used, ensure:
    Certificate is in a PEM or PFX format, accessible in the right path.
    Permissions allow pwsh to read the cert file.

  3. Network Access to Exchange Online
    Test if the container or host running the connector can reach Exchange Online endpoints:
    bash
    curl https://outlook.office365.com/powershell-liveid/
    Or, from PowerShell:
    powershell
    Test-NetConnection outlook.office365.com -Port 443
    Timeouts often mean:
    Proxy issues
    Firewall blocks
    DNS resolution problems
    Certificate trust chain issues

  4. Certificate Format or Permissions Issues
    Double-check:
    Thumbprint is correct
    Certificate is not password protected (for CBA in automation)
    Validity period is current
    The private key is marked exportable (for use in non-Windows environments)

  5. Connector Timeout Configuration
    Even though you’ve increased timeout settings, validate if:
    You’re modifying the correct config value (some tools have both global and feature-specific timeouts).
    There are internal process-level timeouts that might kill pwsh prematurely — e.g., if no stdout is returned, some orchestrators think the command is “stuck”.

6.Non windows
If you’re running in non-Windows environments, you might need to import the certificate using:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import(“”, $null, “Exportable,PersistKeySet”)
Connect-ExchangeOnline -Certificate $cert -AppId -Organization