Allow using custom Auth Certificate lifetime #2347
Conversation
lusassl-msft
added
Enhancement
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for custom Auth Certificate lifetimes in the MonitorExchangeAuthCertificate script to address customer requirements with tenant policies that restrict certificate lifetimes to 365 days or less.
- A new
New-ExchangeSelfSignedCertificatefunction that allows specifying custom certificate lifetimes - Enhanced script parameters to support custom certificate lifetimes and enforce new certificate creation
- Documentation updates reflecting the new functionality
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/Admin/MonitorExchangeAuthCertificate.md | Added documentation for new parameters EnforceNewAuthCertificateCreation and CustomCertificateLifetimeInDays |
| Shared/CertificateFunctions/New-ExchangeSelfSignedCertificate.ps1 | New function implementing custom self-signed certificate generation with configurable lifetime |
| Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 | Main script updates to support new parameters and certificate creation modes |
| Admin/MonitorExchangeAuthCertificate/DataCollection/Get-ExchangeAuthCertificateStatus.ps1 | Enhanced status detection logic to support enforced certificate creation |
| Admin/MonitorExchangeAuthCertificate/ConfigurationAction/New-ExchangeAuthCertificate.ps1 | Updated certificate creation logic to use custom function when lifetime is specified |
| .build/cspell-words.txt | Added new technical terms to spell check dictionary |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| $certificateThumbprint = $certificate.Thumbprint | ||
|
|
||
|
|
||
| if ($PSCmdlet.ShouldProcess("Setting certificate thumbprint")) { | ||
| $certificateThumbprint = $certificate.Thumbprint | ||
| } else { | ||
| # Mock certificate thumbprint | ||
| $certificateThumbprint = "A1B2C3D4E5F60718293A4B5C6D7E8F9012345678" | ||
| } |
There was a problem hiding this comment.
The certificate thumbprint is assigned twice (lines 278 and 282). The first assignment on line 278 is redundant since it's immediately overwritten by the conditional logic.
| $newAuthCertificate = New-ExchangeSelfSignedCertificate @newCustomAuthCertificateParams | ||
| } else { | ||
| Write-Verbose "Creating a default self-signed certificate with a lifetime of 5 years" | ||
| $newAuthCertificate = New-ExchangeCertificate @newAuthCertificateParams |
There was a problem hiding this comment.
The New-ExchangeSelfSignedCertificate function returns a PSCustomObject with Subject and Thumbprint properties, while New-ExchangeCertificate likely returns a different object structure. This inconsistency may cause issues in subsequent code that expects a specific object format.
| $newAuthCertificate = New-ExchangeCertificate @newAuthCertificateParams | |
| $certObj = New-ExchangeCertificate @newAuthCertificateParams | |
| $newAuthCertificate = [PSCustomObject]@{ | |
| Thumbprint = $certObj.Thumbprint | |
| Subject = $certObj.Subject | |
| } |
| The new Auth Certificate, which is eventually created, will be created with a lifetime of 365 days (1 year). | ||
| .EXAMPLE | ||
| .\MonitorExchangeAuthCertificate.ps1 -EnforceNewAuthCertificateCreation -CustomCertificateLifetimeInDays 365 -Confirm:$false | ||
| Runs the script in Auth Certificate enforcement mode.A new Auth Certificate is created and staged as new next Auth Certificate. |
There was a problem hiding this comment.
Missing space after the period in 'mode.A new Auth Certificate'. Should be 'mode. A new Auth Certificate'.
| Runs the script in Auth Certificate enforcement mode.A new Auth Certificate is created and staged as new next Auth Certificate. | |
| Runs the script in Auth Certificate enforcement mode. A new Auth Certificate is created and staged as new next Auth Certificate. |
Description:
With the release of the dedicated Exchange hybrid application feature (https://learn.microsoft.com/en-us/Exchange/hybrid-deployment/deploy-dedicated-hybrid-app), customers must create an application in Microsoft Entra ID which is used by Exchange Server running in hybrid mode. As part of the application creation process, the public key of the current and new next Auth Certificate are uploaded to the application in Entra ID. The certificate is used for
JWT assertion-based authentication.Some customers have a policy enforced within their tenant, which prevents them from uploading a certificates with a lifetime longer than 365 days as part of the
keyCredentialConfiguration. TheNew-ExchangeCertificate, which is used to generate the self-signed certificate, used as Auth Certificate, issues self-signed certificates with a lifetime of 5 years by default. It doesn't allow to specify a different lifetime for self-signed certificates yet. This is something we plan to introduce in future. As a workaround we decided to update theMonitorExchangeAuthCertificate.ps1script so that it allows customers specify the lifetime of the self-signed certificate used as Auth Certificate.Fix:
Introduce a new function
New-ExchangeSelfSignedCertificatethat allows specifying a customer lifetime for the self-signed certificate. It generates a self-signed certificate by using the expected cryptographic service provider (CSP) with extensions which are expected for the Auth Certificate.Validation:
Lab / Validation by test team is pending