The new Powershell V2 cmdlet to Exchange Online


I'm running 8.1.3 and am trying to connect to Exchange Online with a Powershell script, not Sync Editor.

But I'm getting the following error message:

[System.Management.Automation.RuntimeException] One or more errors occurred.
[Microsoft.Identity.Client.MsalClientException] Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at
[System.Security.Cryptography.CryptographicException] Invalid provider type specified.

This is the command:

Connect-ExchangeOnline -AppId $AppId -Certificate $Certificate -Organization $Organization

Any help would be appreciated!


Top Replies

Parents Reply Children
  • How can i find out which version of Powershell One Identity is running?
    Does One IDentity come with a specific version of PS built-in?
    Can I point/install another version of PS and force One Identity to use that specific version?

  • OneIM does not come with a specific version built-in. The PowerShellComponentNet4 is using PowerShell 3-5.1 (depending on what is installed) and the PowerShellComponent would default to PowerShell 2.

    You cannot enforce OneIM to use a PowerShell version higher than 5.1 as they are based on a different technology than the other PowerShells.

    What could be different is the architecture x86 / x64 between your test and the execution by the JobService and your profile settings (your settings from the account you have tested with vs. the profile settings from the user account the JobService is using).

  • The problem was with the certificate.

    Here is where I found the solution:

    Install openssl.

    Convert the certificate's private key from CNG format to RSA.
    Using certlm.msc export the current certificate, or if the original pfx file still exist use that.
    Extract the public keys, including certificate chain:
    OpenSSL pkcs12 -in "oldcertificate.pfx" -nokeys -out "intermediate.cer"
    Extract the private key:
    OpenSSL pkcs12 -in "oldcertificate.pfx" -nocerts -out "intermediate.pem"
    Convert the key to RSA format:
    OpenSSL rsa -inform PEM -in "intermediate.pem" -out "intermediate.rsa"
    Merge into a new pfx file:
    OpenSSL pkcs12 -export -in "intermediate.cer" -inkey "intermediate.rsa" -out "newcertificate.pfx"
    All "intermediate" files can safely be deleted.
    Import the newly created pfx into certlm.msc and assign the user running the scripts read privileges to the private key.