Set-EntraUserCBACertificateUserId
Sets certificate-based authentication user IDs for a user in Microsoft Entra ID using a certificate file or object.
Syntax
Set-EntraUserCBACertificateUserId
-UserId <string>
[-CertPath <string>]
[-Cert <System.Security.Cryptography.X509Certificates.X509Certificate2>]
-CertificateMapping <string[]>
[<CommonParameters>] Description
Configures certificate-based authentication user IDs for a user in Microsoft Entra ID. Accepts a certificate file path or object, and one or more certificate mapping types to apply to the user's authorization information.
Update-EntraUserCBACertificateUserId is an alias of Set-EntraUserCBACertificateUserId.
In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:
- Privileged Authentication Administrator (for Cloud-only users)
- Hybrid Identity Administrator (for synchronized users)
Examples
Example 1: Update user's certificate authorization information using certificate path
Connect-Entra -Scopes 'Directory.ReadWrite.All', 'User.ReadWrite.All'
Set-EntraUserCBACertificateUserId -UserId '[email protected]' -CertPath 'C:\path\to\certificate.cer' -CertificateMapping @('Subject', 'PrincipalName')This example sets the certificate user IDs for the specified user using a certificate file, mapping both the Subject and PrincipalName fields. You can use Get-EntraUserCBAAuthorizationInfo command to view updated details.
Example 2: Update user's certificate authorization information using a certificate
Connect-Entra -Scopes 'Directory.ReadWrite.All', 'User.ReadWrite.All'
$text = '-----BEGIN CERTIFICATE-----
MIIDiz...=
-----END CERTIFICATE-----'
$bytes = [System.Text.Encoding]::UTF8.GetBytes($text)
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($bytes)
Set-EntraUserCBACertificateUserId -UserId '[email protected]' -Cert $certificate -CertificateMapping @('RFC822Name', 'SKI')This example sets the certificate user IDs for the specified user using a certificate object, mapping the RFC822Name and SKI fields. You can use Get-EntraUserCBAAuthorizationInfo command to view updated details.
Parameters
-Cert
Certificate object used to extract certificate user IDs.
| Type: | System.Security.Cryptography.X509Certificates.X509Certificate2 |
| Aliases: | CertificateObject, Certificate |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CertificateMapping
One or more certificate mapping types to be applied. Valid values are: PrincipalName, RFC822Name, IssuerAndSubject, Subject, SKI, SHA1PublicKey, and IssuerAndSerialNumber.
| Type: | System.String[] |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CertPath
Path to the certificate file.
| Type: | System.String |
| Aliases: | CertificatePath |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UserId
Specifies the ID of a user (as a UserPrincipalName or ObjectId) in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId, UPN, Identity, UserPrincipalName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |