pnp · gautamdsheth · Apr 15, 2025 · Apr 15, 2025
diff --git a/src/Commands/AzureAD/RegisterAzureADApp.cs b/src/Commands/AzureAD/RegisterAzureADApp.cs
@@ -94,11 +94,6 @@ public class RegisterAzureADApp : BasePSCmdlet, IDynamicParameters
 
         protected override void ProcessRecord()
         {
-            if (!PSUtility.IsUserLocalAdmin())
-            {
-                throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");
-            }
-
             if (ParameterSpecified(nameof(Store)) && !OperatingSystem.IsWindows())
             {
                 throw new PSArgumentException("The Store parameter is only supported on Microsoft Windows");
@@ -470,7 +465,7 @@ private X509Certificate2 GetCertificate(PSObject record)
 
                 try
                 {
-                    cert = new X509Certificate2(CertificatePath, CertificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
+                    cert = new X509Certificate2(CertificatePath, CertificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
                 }
                 catch (CryptographicException e) when (e.Message.Contains("The specified password is not correct"))
                 {
@@ -658,7 +653,6 @@ private void StartConsentFlow(string loginEndPoint, AzureADApp azureApp, string
             progressRecord.RecordType = ProgressRecordType.Completed;
             WriteProgress(progressRecord);
 
-
             if (!Stopping)
             {
                 if (ParameterSpecified(nameof(DeviceLogin)))
@@ -685,9 +679,7 @@ private void StartConsentFlow(string loginEndPoint, AzureADApp azureApp, string
                         authManager.ClearTokenCache();
                         authManager.GetAccessToken(resource, Microsoft.Identity.Client.Prompt.Consent);
                     }
-
                 }
-                WriteObject(record);
             }
 
             WriteObject(record);

diff --git a/src/Commands/AzureAD/RegisterEntraIDAppForInteractiveLogin.cs b/src/Commands/AzureAD/RegisterEntraIDAppForInteractiveLogin.cs
@@ -49,11 +49,6 @@ public class RegisterEntraIDAppForInteractiveLogin : BasePSCmdlet, IDynamicParam
 
         protected override void ProcessRecord()
         {
-            if (!PSUtility.IsUserLocalAdmin())
-            {
-                throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");
-            }
-
             var redirectUri = "http://localhost";
             // if (ParameterSpecified(nameof(DeviceLogin)) || OperatingSystem.IsMacOS())
             if (ParameterSpecified(nameof(DeviceLogin)) || OperatingSystem.IsMacOS())

diff --git a/src/Commands/Base/ConnectOnline.cs b/src/Commands/Base/ConnectOnline.cs
@@ -1,4 +1,6 @@
-using PnP.PowerShell.Commands.Base.PipeBinds;
+using Microsoft.SharePoint.Client;
+using PnP.Framework;
+using PnP.PowerShell.Commands.Base.PipeBinds;
 using PnP.PowerShell.Commands.Enums;
 using PnP.PowerShell.Commands.Model;
 using PnP.PowerShell.Commands.Provider;
@@ -13,9 +15,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using File = System.IO.File;
-using PnP.Framework;
 using Resources = PnP.PowerShell.Commands.Properties.Resources;
-using Microsoft.SharePoint.Client;
 
 namespace PnP.PowerShell.Commands.Base
 {
@@ -591,7 +591,7 @@ private PnPConnection ConnectAppOnlyWithCertificate()
                 if (!ParameterSpecified(nameof(X509KeyStorageFlags)))
                 {
                     X509KeyStorageFlags = X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet;
                 }
 
@@ -612,7 +612,7 @@ private PnPConnection ConnectAppOnlyWithCertificate()
                 if (!ParameterSpecified(nameof(X509KeyStorageFlags)))
                 {
                     X509KeyStorageFlags = X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet;
                 }
                 var certificate = new X509Certificate2(certificateBytes, CertificatePassword, X509KeyStorageFlags);
@@ -821,7 +821,7 @@ private PnPConnection ConnectEnvironmentVariable(InitializationType initializati
                 if (!ParameterSpecified(nameof(X509KeyStorageFlags)))
                 {
                     X509KeyStorageFlags = X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet;
                 }
 
@@ -984,8 +984,6 @@ private PSCredential GetCredentials()
         private string GetAppId()
         {
             var connectionUri = new Uri(Url);
-
-
             // Try to get the credentials by full url
             string appId = PnPConnection.GetCacheClientId(connectionUri.ToString()) ?? Utilities.CredentialManager.GetAppId(connectionUri.ToString());
             if (appId == null)

diff --git a/src/Commands/Base/GetAzureCertificate.cs b/src/Commands/Base/GetAzureCertificate.cs
@@ -1,10 +1,10 @@
-using System.Management.Automation;
+using PnP.PowerShell.Commands.Utilities;
 using System;
+using System.Linq;
+using System.Management.Automation;
 using System.Security;
-using System.Security.Cryptography.X509Certificates;
-using PnP.PowerShell.Commands.Utilities;
 using System.Security.Cryptography;
-using System.Linq;
+using System.Security.Cryptography.X509Certificates;
 
 namespace PnP.PowerShell.Commands.Base
 {
@@ -28,7 +28,7 @@ protected override void ProcessRecord()
             }
             if (System.IO.File.Exists(Path))
             {
-                var certificate = new X509Certificate2(Path, Password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
+                var certificate = new X509Certificate2(Path, Password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet);
                 WriteAzureCertificateOutput(this, certificate, Password);
             }
             else
@@ -88,7 +88,7 @@ internal static void WriteAzureCertificateOutput(BasePSCmdlet cmdlet, X509Certif
                 certificate: CertificateHelper.CertificateToBase64(certificate),
                 privateKey: CertificateHelper.PrivateKeyToBase64(certificate),
                 sanNames: certificate.Extensions.Cast<X509Extension>()
-                                                .Where(n => n.Oid.FriendlyName=="Subject Alternative Name")
+                                                .Where(n => n.Oid.FriendlyName == "Subject Alternative Name")
                                                 .Select(n => new AsnEncodedData(n.Oid, n.RawData))
                                                 .Select(n => n.Format(false))
                                                 .FirstOrDefault().Split(',', StringSplitOptions.TrimEntries)

diff --git a/src/Commands/Base/NewAzureCertificate.cs b/src/Commands/Base/NewAzureCertificate.cs
@@ -54,11 +54,6 @@ protected override void ProcessRecord()
                 throw new PSArgumentException("The Store parameter is only supported on Microsoft Windows");
             }
 
-            if (!PSUtility.IsUserLocalAdmin())
-            {
-                throw new PSArgumentException("Running this cmdlet requires elevated permissions (Run as Admin) to generate a certificate.");
-            }
-
             if (ValidYears < 1 || ValidYears > 30)
             {
                 ValidYears = 10;

diff --git a/src/Commands/PnP.PowerShell.csproj b/src/Commands/PnP.PowerShell.csproj
@@ -66,6 +66,7 @@
 		<PackageReference Include="PnP.Core.Admin" Version="1.14.*-*" Condition="'$(IsRelease)' == '1'" />
 
 		<PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.70.2" />
+		<PackageReference Include="Microsoft.Bcl.Cryptography" Version="9.0.2" />
 
 		<ProjectReference Include="..\ALC\PnP.PowerShell.ALC.csproj" />
 

diff --git a/src/Commands/Utilities/CertificateHelper.cs b/src/Commands/Utilities/CertificateHelper.cs
@@ -129,7 +129,7 @@ internal static X509Certificate2 GetCertificateFromStore(string thumbprint)
         internal static X509Certificate2 GetCertificateFromPath(Cmdlet cmdlet, string certificatePath, SecureString certificatePassword,
             X509KeyStorageFlags x509KeyStorageFlags =
                         X509KeyStorageFlags.Exportable |
-                        X509KeyStorageFlags.MachineKeySet |
+                        X509KeyStorageFlags.UserKeySet |
                         X509KeyStorageFlags.PersistKeySet)
         {
             if (System.IO.File.Exists(certificatePath))
@@ -268,7 +268,7 @@ internal static X509Certificate2 CreateSelfSignedCertificate(string commonName,
             X500DistinguishedName distinguishedName = new X500DistinguishedName(distinguishedNameString);
 
 #pragma warning disable CA1416 // Validate platform compatibility
-            using (RSA rsa = Platform.IsWindows ? MakeExportable(new RSACng(2048)) : RSA.Create(2048))
+            using (RSA rsa = RSA.Create(2048))
             {
                 var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
 
@@ -287,8 +287,14 @@ internal static X509Certificate2 CreateSelfSignedCertificate(string commonName,
                 {
                     certificate.FriendlyName = friendlyName;
                 }
+                string passString = password != null ? CredentialManager.SecureStringToString(password) : null;
 
-                return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
+                if (PSUtility.PSVersion == "7.5")
+                {
+                    return X509CertificateLoader.LoadPkcs12(certificate.Export(X509ContentType.Pfx, password), passString, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
+                }
+
+                return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
             }
 #pragma warning restore CA1416 // Validate platform compatibility
         }

diff --git a/src/Commands/Utilities/CredentialManager.cs b/src/Commands/Utilities/CredentialManager.cs
@@ -1,4 +1,7 @@
-using System;
+using Microsoft.Identity.Client.Extensions.Msal;
+using Microsoft.Win32.SafeHandles;
+using PnP.Framework.Modernization.Cache;
+using System;
 using System.Linq;
 using System.Management.Automation;
 using System.Management.Automation.Runspaces;
@@ -7,9 +10,6 @@
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Text;
-using Microsoft.Identity.Client.Extensions.Msal;
-using Microsoft.Win32.SafeHandles;
-using PnP.Framework.Modernization.Cache;
 using FILETIME = System.Runtime.InteropServices.ComTypes.FILETIME;
 
 [assembly: InternalsVisibleTo("PnP.PowerShell.Tests")]
@@ -498,7 +498,7 @@ private static PSCredential ReadMacOSKeyChainEntry(string applicationName)
             }
             return null;
         }
-        private static void WriteMacOSKeyChainEntry(string applicationName,string password)
+        private static void WriteMacOSKeyChainEntry(string applicationName, string password)
         {
             var keychain = new MacOSKeychain();
             keychain.AddOrUpdate(applicationName, applicationName, password.ToByteArray());
@@ -507,14 +507,14 @@ private static void WriteMacOSKeyChainEntry(string applicationName,string passwo
         private static bool DeleteMacOSKeyChainEntry(string name)
         {
             var keychain = new MacOSKeychain();
-            return keychain.Remove(name,name);
+            return keychain.Remove(name, name);
             // var cmd = $"/usr/bin/security delete-generic-password -s '{name}'";
             // var output = Shell.Bash(cmd);
             // var success = output.Count > 1 && !output[0].StartsWith("security:");
             // return success;
         }
 
-        private static string SecureStringToString(SecureString value)
+        public static string SecureStringToString(SecureString value)
         {
             IntPtr valuePtr = IntPtr.Zero;
             try