Get-MsalToken fails for some users, references a .NET in error message.

[hughj4]

We are using the same version of PoweShell (5.1.19041.2673) and MSAL.PS (4.36.1.2). Also, referencing the same Azure Tenant, Azure App Registration and certificate. All laptops connected to the same network and have similar age and configuration.

Executed the following script for three of us. It worked for me but failed for 2 of my co-workers.

$subject=""
$Tenant = ""
$ClientID = ""

$subjectName = "CN=$($subject)"
$cert = Get-ChildItem Cert:\CurrentUser\My | where-object { $_.Subject -eq $subjectName } | Select-Object * | Sort-Object -desc NotAfter | Select-Object -first 1
$ThbPrint = $cert.Thumbprint
$connectionDetails = @{
'TenantId' = $Tenant
'ClientId' = $ClientID
}

$connectionDetails += @{'ClientCertificate' = Get-Item -Path "Cert:\CurrentUser\My\$($ThbPrint)" }
$token = Get-MsalToken @connectionDetails

They receive the following error message:
"Get-MsalToken : Could not use the certificate for signing. See inner exception for details. Possible cause: this may be a known issue with apps build against .NET Desktop 4.6 or lower. Either target a higher version of .NET desktop - 4.6.1 and above, or use a different certificate type (non-CNG) or sign your own assertion as described at https://aka.ms/msal-net-signed-assertion. At C:\PShell\Scripts - Outlook Rooms\testroom.ps1:137 char:18 + $token = Get-MsalToken @connectionDetails + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : AuthenticationError: (Microsoft.Ident...arameterBuilder:AcquireTokenForClientParameterBuilder) [Write-Error], MsalClientException + FullyQualifiedErrorId : GetMsalTokenFailureAuthenticationError,Get-MsalToken"

We tried installing https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-desktop-6.0.15-windows-x64-installer
List of .NET versions:
dotnet --list-runtimes
Microsoft.AspNetCore.App 7.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 6.0.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 7.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

[hughj4]

The reason it worked for me is because I had MicrosoftTeams module loaded where others did not. MicrosoftTeams loaded first so I am using an MSTeams version. Replaced the Microsoft.Identity.Client. and Microsoft.Identity.Client.Desktop in ...WindowsPowerShell\Modules\MSAL.PS\4.37.0.0\Microsoft.Identity.Client.4.37.0\net45 and .. Desktop\net45 with MSTeams version. For PowerShell 5 also required "authority cannotbe found fix", #45.

[hughj4]

This is a work around not a fix. Keeping it open.

[bgavrilMS]

This is because MSAL.PS targets MSAL.NET for net45 instead of net461. net45 has poor crypto support.