Merge pull request #13453 from MicrosoftDocs/CBACert-chrisda

CBAcert-chrisda to Main

Author: chrisda

exchange/docs-conceptual/app-only-auth-powershell-v2.md

@@ -1,6 +1,6 @@
 ---
 title: App-only authentication in Exchange Online PowerShell and Security & Compliance PowerShell
-ms.date: 02/27/2026
+ms.date: 03/11/2026
 ms.audience: Admin
 audience: Admin
 ms.topic: article
@@ -18,7 +18,7 @@ description: "Learn how to configure app-only authentication (also known as cert
 
 Auditing and reporting scenarios in Microsoft 365 often involve unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell. In the past, unattended sign in required you to store the username and password in a local file or in a secret vault accessed at run-time. But, as we all know, storing user credentials locally isn't a good security practice.
 
-Certificate based authentication (CBA) or app-only authentication as described in this article supports unattended script and automation scenarios by using Microsoft Entra apps and self-signed certificates.
+Certificate based authentication (CBA) or app-only authentication as described in this article supports unattended script and automation scenarios by using Microsoft Entra apps and certificates.
 
 > [!NOTE]
 >
@@ -151,16 +151,16 @@ For a detailed visual flow about creating applications in Microsoft Entra ID, se
 
    An application object has the **Delegated** API permission **Microsoft Graph** \> **User.Read** by default. For the application object to access resources in Exchange, it needs the **Application** API permission **Office 365 Exchange Online** \> **Exchange.ManageAsApp**.
 
-3. [Generate a self-signed certificate](#step-3-generate-a-self-signed-certificate)
+3. [Generate a certificate](#step-3-generate-a-certificate)
 
    - For app-only authentication in Microsoft Entra ID, you typically use a certificate to request access. Anyone who has the certificate and its private key can use the app with the permissions granted to the app.
 
-   - Create and configure a self-signed X.509 certificate, which is used to authenticate your Application against Microsoft Entra ID, while requesting the app-only access token.
+   - Create and configure an X.509 certificate, which is used to authenticate your Application against Microsoft Entra ID, while requesting the app-only access token. The certificate can be self-signed.
 
-   - This procedure is similar to generating a password for user accounts. The certificate can be self-signed as well. See [this section](#step-3-generate-a-self-signed-certificate) later in this article for instructions to generate certificates in PowerShell.
+   - This procedure is similar to generating a password for user accounts. See [this section](#step-3-generate-a-certificate) later in this article for instructions to generate certificates in PowerShell.
 
      > [!NOTE]
-     > Cryptography: Next Generation (CNG) certificates aren't supported for app-only authentication with Exchange. CNG certificates are created by default in modern versions of Windows. You must use a certificate from a CSP key provider. [This section](#step-3-generate-a-self-signed-certificate) section covers two supported methods to create a CSP certificate.
+     > Cryptography: Next Generation (CNG) certificates aren't supported for app-only authentication with Exchange. CNG certificates are created by default in modern versions of Windows. You must use a certificate from a CSP key provider. [This section](#step-3-generate-a-certificate) section covers two supported methods to create a CSP certificate.
 
 4. [Attach the certificate to the Microsoft Entra application](#step-4-attach-the-certificate-to-the-microsoft-entra-application)
 
@@ -334,27 +334,36 @@ Choose **one** of the following methods in this section to assign API permission
 
 6. Close the current **API permissions** page (not the browser tab) to return to the **App registrations** page. You use the **App registrations** page in an upcoming step.
 
-### Step 3: Generate a self-signed certificate
+<a name="step-3-generate-a-self-signed-certificate"></a>
 
-Create a self-signed x.509 certificate using one of the following methods:
+### Step 3: Generate a certificate
 
-- (Recommended) Use the [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate), [Export-Certificate](/powershell/module/pki/export-certificate), and [Export-PfxCertificate](/powershell/module/pki/export-pfxcertificate) cmdlets in an elevated (run as administrator) Windows PowerShell session to request a self-signed certificate and export it to `.cer` and `.pfx` (SHA1 by default). For example:
+> [!NOTE]
+> Cryptography: Next Generation (CNG) certificates aren't supported for app-only authentication as described in this article. CNG certificates are created by default in modern Windows versions. You need to use a certificate from a CSP key provider.
+>
+> You can use a self-signed certificate, a certificate issued by an internal public key infrastructure or PKI (for example, Active Directory Certificate Services or AD CS), or a certificate issued by a trusted commercial certificate authority (CA).
+>
+> The only requirements for the X.509 certificate are an exportable and available private key (.pfx) and public certificate (.cer).
 
-  ```powershell
-  # Create certificate
-  $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
+For a **self-signed certificate**, use one of the following methods:
 
-  # Export certificate to .pfx file
-  $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password (Get-Credential).password
+- (Recommended): Use the [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate), [Export-Certificate](/powershell/module/pki/export-certificate) and [Export-PfxCertificate](/powershell/module/pki/export-pfxcertificate) cmdlets in an elevated PowerShell session (a PowerShell window you opened after selecting **Run as administrator**) to request a self-signed certificate and export the certificate's private and public keys to files (SHA1 by default). For example:
 
-  # Export certificate to .cer file
-  $mycert | Export-Certificate -FilePath mycert.cer
-  ```
+    ```powershell
+    # Create a self-signed certificate
+    $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
+
+    # Export the X.509 certificate and the associated private key to a password-protected .pfx file
+    $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password (Get-Credential).password
+
+    # Export the X.509 public certificate to a .cer file
+    $mycert | Export-Certificate -FilePath mycert.cer
+    ```
 
 - Use the [Create-SelfSignedCertificate script](https://github.com/SharePoint/PnP-Partner-Pack/blob/master/scripts/Create-SelfSignedCertificate.ps1) script to generate SHA1 certificates.
 
   ```powershell
-  .\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2021-01-06 -EndDate 2022-01-06
+  .\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2026-01-06 -EndDate 2027-01-06
   ```
 
 ### Step 4: Attach the certificate to the Microsoft Entra application
@@ -375,7 +384,7 @@ After you register the certificate with your application, you can use the privat
 
    ![Select Upload certificate on the Certificates & secrets page.](media/exo-app-only-auth-select-upload-certificate.png)
 
-   In the dialog that opens, browse to the self-signed certificate (`.cer` file) that you created in [Step 3](#step-3-generate-a-self-signed-certificate).
+   In the dialog that opens, browse to the public certificate (`.cer` file) you exported in [Step 3](#step-3-generate-a-certificate).
 
    ![Browse to the certificate and then select Add.](media/exo-app-only-auth-upload-certificate-dialog.png)
 
@@ -405,19 +414,17 @@ For more information about the URL syntax, see [Request the permissions from a d
 
 You have the following options:
 
-- **Option 1: Assign Microsoft Entra roles to the application**: Use built-in Microsoft Entra roles to grant all permissions of the role. You can't customize or scope these roles.
- 
-- **Option 2: Assign custom role groups to the application using service principals**: We recommend this option in the following scenarios:
+- [Option 1: Assign Microsoft Entra roles to the application](#option-1-assign-microsoft-entra-roles-to-the-application): Use built-in Microsoft Entra roles to grant all permissions of the role. You can't customize or scope these roles.
+
+- [Option 2: Assign custom role groups to the application using service principals](#option-2-assign-custom-role-groups-to-the-application-using-service-principals): We recommend this option in the following scenarios:
   - You need to restrict the available commands in your application.
   - You need to use a Write scope to limit which recipients can be modified.
 
- - **Option 3: Combine Microsoft Entra roles with custom role groups**: We recommend this method to extend a built-in Microsoft Entra role (for example, the **Exchange Recipient Administrator** role) by granting extra permissions from a custom role.
+- <u>Option 3: Combine Microsoft Entra roles with custom role groups</u>: RBAC combines permissions from all sources. We recommend this method to extend the capabilities of a built-in Microsoft Entra role. For example, you can extend the capabilities of the **Exchange Recipient Administrator** role by granting extra permissions from a custom role.
 
 These options are described in the following subsections.
 
 > [!NOTE]
-> RBAC combines permissions from all sources. For example, you can use the **Exchange Recipient Administrator** role in Microsoft Entra and also assign your custom RBAC role to extend the permissions.
->
 > For multitenant applications in **Exchange Online** delegated scenarios, you need to assign permissions in each customer tenant.
 
 <a name="assign-microsoft-entra-roles-to-the-application"></a>