Connect-PnPOnline – resolving issue – AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. – Small mistake, lesson learned.

Hi All,

Greetings for the day!!!

Today new issue and solution. Very simple issue may be its my mistake but since spent some time so sharing here.

Background

• I am using some PnP PowerShell to perform one task.
• I am using Connect-PnPOnline PnP PowerShell CMDLET for connecting my SharePoint site.
• I am using azure app ( application id) and certificate.
• Below is the CMDLET I am using

Connect-PnPOnline -Url https://knowledgejunction1.sharepoint.com/ -ClientId d2e4e4b6-7c79-5e82-9289-88cb8g2f4231 -CertificatePath 'D:\Prasham\microsoft365\certificate\knowledgejunction_app.pfx' -CertificatePassword "password" -Tenant 'knowledgejunction1.onmicrosoft.com'

• While executing the above POWESHELL CMDLET I am getting an error.

We have detailed article on using Connect-PnPOnline using with certificate and client id. Microsoft 365 : Detailed steps using Connect-PnPOnline with Client ID and X509 certificate – https://knowledge-junction.in/2024/11/19/m365-steps-for-connect-pnponline-clientid-n-x509-certificate/

We have detailed article for creating self-signed certificate. PowerShell – script to generate a self-signed Certificate – exploring New-SelfSignedCertificate CMDLET – https://knowledge-junction.in/2024/01/20/powershell-script-to-generate-a-self-signed-certificate-exploring-new-selfsignedcertificate-cmdlet/

Issue / Error

Connect-PnPOnline: A configuration issue is preventing authentication – check the error message from the server for details.

You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception:

AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason – The key was not found.

Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘d2e4e4b6-7c79-5e82-9289-88cb8g2f4231’.

Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/d2e4e4b6-7c79-5e82-9289-88cb8g2f4231’%5D.

Trace ID: 43329e40-0315-4c05-b1ef-a5fffed43e00 Correlation ID: b87adf74-b851-4aa5-8b9c-7226f8fbcfce Timestamp: 2025-01-23 04:59:47Z

Cause / Issue

• We have created self signed X.509 Certificate
• We do not have rights to Microsoft Entra / AZURE portal.
• We shared the certificate to upload for our app with our Azure Team.
• Our Azure team forgot to upload the certificate. This is the root cause of an error.
• We are under impression that certificate is uploaded.

Solution

• Our Azure team uploaded the certificate. Our CMDLETS started working like charm 🙂

REFERENCES

• Microsoft 365 : Detailed steps using Connect-PnPOnline with Client ID and X509 certificate – https://knowledge-junction.in/2024/11/19/m365-steps-for-connect-pnponline-clientid-n-x509-certificate/
• PowerShell – script to generate a self-signed Certificate – exploring New-SelfSignedCertificate CMDLET – https://knowledge-junction.in/2024/01/20/powershell-script-to-generate-a-self-signed-certificate-exploring-new-selfsignedcertificate-cmdlet/

Thank you for reading the article.

Have a nice day 🙂