Associate a certificate with the Entra app ID of UEM for modern authentication Skip Navigation

Associate a certificate with the
Entra
app ID of UEM for modern authentication

You can request and export a new client certificate from your CA server or use a self-signed certificate. The private key must be in .pfx format. The public key can be exported as a .cer or .pem file to upload to
Microsoft Entra ID
.
  1. Complete one of the following tasks:
    Certificate
    Task
    If you are using an existing CA server
    1. Request the certificate. The certificate that you request must include the app name in the subject of the certificate. Where <
      app name
      > is the name you assigned the app in step 4 of Add an app and obtain Azure details for configuring modern authentication.
    2. Export the public key of the certificate as a .cer or .pem file. The public key is used for the
      Entra
      app ID that is created.
    3. Export the private key of the certificate as a .pfx file.
    If you are using a self-signed certificate
    1. Create a self-signed certificate using the New-SelfSignedCertificate command. For more information, visit docs.microsoft.com and read New-SelfSignedCertificate.
      1. On the computer running
        Microsoft Windows
        , open the
        Windows PowerShell
        .
      2. Enter the following command:
        $cert=New-SelfSignedCertificate -Subject "CN=<
        app name
        >" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
        . Where <
        app name
        > is the name you assigned the app in step step 4 of Add an app and obtain Azure details for configuring modern authentication. The certificate that you request must include the
        Entra
        app name in the subject field.
      3. Press
        Enter
        .
    2. Export the public key from the
      Microsoft
      Management Console (MMC). Make sure to save the public certificate as a .cer or .pem file. The public key is used for the
      Entra
      app ID that is created.
      1. On the computer running
        Windows
        , open the Certificate Manager for the logged in user.
      2. Expand
        Personal
        .
      3. Click
        Certificates
        .
      4. Right-click the <
        user
        >@<
        domain
        > and click
        All Tasks > Export
        .
      5. In the
        Certificate Export Wizard
        , click
        No, do not export private key
        .
      6. Click
        Next
        .
      7. Select
        Base-64 encoded X.509 (.cer)
        . Click
        Next
        .
      8. Provide a name for the certificate and save it to your desktop.
      9. Click
        Next
        .
      10. Click
        Finish
        .
      11. Click
        OK
        .
    3. Export the private key from the
      Microsoft
      Management Console (MMC). Make sure to include the private key and save it as a .pfx file.
      1. On the computer running
        Windows
        , open the Certificate Manager for the logged in user.
      2. Expand
        Personal
        .
      3. Click
        Certificates
        .
      4. Right-click the <
        user
        >@<
        domain
        > and click
        All Tasks > Export
        .
      5. In the
        Certificate Export Wizard
        , click
        Yes, export private key
        .
      6. Click
        Next
        .
      7. Select
        Personal Information Exchange – PKCS #12 (.pfx)
        . Click
        Next
        .
      8. Select the security method. 
      9. Provide a name for the certificate and save it to your desktop.
      10. Click
        Next
        .
      11. Click
        Finish
        .
      12. Click
        OK
        .
  2. Upload the public certificate (.pem or .cer file) that you exported in step 1 to associate the certificate credentials with the
    Entra
    app ID of UEM.
    1. In portal.azure.com, open the <
      app name
      > you assigned the app in step 4 of Add an app and obtain Azure details for configuring modern authentication.
    2. Click
      Certificates & secrets
      .
    3. In the
      Certificates
      section, click
      Upload certificate
      .
    4. In the
      Select a file
      search field, navigate to the location where you exported the certificate.
    5. Click
      Add
      .