From 2b320f4ec3af3b46dd361e558395ea119ec2c7a0 Mon Sep 17 00:00:00 2001
From: mawasile <50197777+mawasile@users.noreply.github.com>
Date: Thu, 11 Jul 2024 18:33:25 +0200
Subject: [PATCH] Add certificate based authentication for the provider (#352)

* adding cert based auth

* Update index.md.tmpl for typo

---------

Co-authored-by: Matt Dotson <mattdot@users.noreply.github.com>
---
 docs/index.md                                 |  52 +++++++-
 .../powerplatform_environments/cert.pkcs12    | Bin 0 -> 4435 bytes
 go.mod                                        |   1 +
 go.sum                                        |   2 +
 internal/powerplatform/api/auth.go            |  33 +++++-
 internal/powerplatform/config/config.go       |  39 +++---
 internal/powerplatform/helpers/cert.go        |  75 ++++++++++++
 internal/powerplatform/provider.go            | 111 +++++++++++++-----
 templates/index.md.tmpl                       |  54 ++++++++-
 9 files changed, 316 insertions(+), 51 deletions(-)
 create mode 100644 examples/data-sources/powerplatform_environments/cert.pkcs12
 create mode 100644 internal/powerplatform/helpers/cert.go

diff --git a/docs/index.md b/docs/index.md
index b35103583..b4cd1d3f9 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -84,6 +84,7 @@ provider "powerplatform" {
 ```
 
 Additional Resources about OIDC:
+
 * [OpenID Connect authentication with Microsoft Entra ID](https://learn.microsoft.com/entra/architecture/auth-oidc)
 * [Configuring OpenID Connect for GitHub and Microsoft Entra ID](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)
 
@@ -95,6 +96,49 @@ The Power Platform provider can use a Service Principal with Client Secret to au
 1. [Register your app registration with Power Platform](https://learn.microsoft.com/power-platform/admin/powerplatform-api-create-service-principal#registering-an-admin-management-application)
 1. Configure the provider to use a Service Principal with a Client Secret with either environment variables or using Terraform variables
 
+### Authenticating to Power Platfomr using Service Principal and certificate
+
+1. [Create an app registration for the Power Platform Terraform Provider](guides/app_registration.md)
+1. [Register your app registration with Power Platform](https://learn.microsoft.com/power-platform/admin/powerplatform-api-create-service-principal#registering-an-admin-management-application)
+1. Generate a certificate using openssl or other tools
+
+```bash
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
+```
+
+4. Merge public and private part of the certificate files together
+
+Using linux shell
+
+```bash
+cat *.pem > cert+key.pem
+```
+
+Using Powershell
+
+```powershell
+Get-Content .\cert.pem, .\key.pem | Set-Content cert+key.pem
+```
+
+5. Generate pkcs12 file
+
+```bash
+openssl pkcs12 -export -out cert.pkcs12 -in cert+key.pem
+```
+
+6. Add public part of the certificate (`cert.pem` file) to the app registration
+7. Store your key.pem and the password used to generate in a safe place
+8. Configure the provider to use certificate with the following code:
+
+```terraform
+provider "powerplatform" {
+  client_id     = var.client_id
+  tenant_id     = var.tenant_id
+  client_certificate_file_path = "${path.cwd}/cert.pkcs12"
+  client_certificate_password  = var.cert_pass
+}
+```
+
 #### Using Environment Variables
 
 We recomend using Environment Variables to pass the credentials to the provider.
@@ -104,12 +148,18 @@ We recomend using Environment Variables to pass the credentials to the provider.
 | `POWER_PLATFORM_CLIENT_ID` | The service principal client id | |
 | `POWER_PLATFORM_CLIENT_SECRET` | The service principal secret | |
 | `POWER_PLATFORM_TENANT_ID` | The guid of the tenant | |
+| `POWER_PLATFORM_CLOUD` | override for the cloud used (default is `public`) | |
+| `POWER_PLATFORM_USE_OIDC` | if set to `true` then OIDC authentication will be used | |
+| `POWER_PLATFORM_USE_CLI` | if set to `true` then Azure CLI authentication will be used | |
+| `POWER_PLATFORM_CLIENT_CERTIFICATE` | The Base64 format of your certificate that will be used to certificate based authentication | |
+| `POWER_PLATFORM_CLIENT_CERTIFICATE_FILE_PATH` | The path to the certificate that will be used to certificate based authentication | |
+| `POWER_PLATFORM_CLIENT_CERTIFICATE_PASSWORD` | Password for the provider certificate | |
 
 -> Variables passed into the provider will override the environment variables.
 
 #### Using Terraform Variables
 
-Alternatively, you can configure the provider using variables in your Terraform configuration which can be passed in via [command line parameters](https://developer.hashicorp.com/terraform/language/values/variables#variables-on-the-command-line), [a `*.tfvars` file](https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files), or [environment variables](https://developer.hashicorp.com/terraform/language/values/variables#environment-variables).  If you choose to use variables, please be sure to [protect sensitive input variables](https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables) so that you do not expose your credentials in your Terraform configuration. 
+Alternatively, you can configure the provider using variables in your Terraform configuration which can be passed in via [command line parameters](https://developer.hashicorp.com/terraform/language/values/variables#variables-on-the-command-line), [a `*.tfvars` file](https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files), or [environment variables](https://developer.hashicorp.com/terraform/language/values/variables#environment-variables).  If you choose to use variables, please be sure to [protect sensitive input variables](https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables) so that you do not expose your credentials in your Terraform configuration.
 
 ```terraform
 provider "powerplatform" {
diff --git a/examples/data-sources/powerplatform_environments/cert.pkcs12 b/examples/data-sources/powerplatform_environments/cert.pkcs12
new file mode 100644
index 0000000000000000000000000000000000000000..a70a7085a367c888ed51d448092c3b1d46b7a495
GIT binary patch
literal 4435
zcmai&Ra6v=)`rQU8%4TNkeH!Ua_FH!y2OE@k&=d?Te?eHKpIKu?#>}Zx<R^*XZ`>B
zzRPp5*IxU5FZRBB-nD^nB2^S*R3MxP9e~9aA|G;%hm3)o3n#ongA<+u;e^LPIAG~t
z3y=#34F8q-QIL`TwvK-tWT44E13Dg10|@$e#04^;5n|VXZR0qXFy>2h@L7^jQ&CVb
zk$|`W%>Ubpf`yI*qy}J_hR7p-L`6epLnHi2$F$|}!#SHTKohc_UMA-c2dFKGsd=6(
z`el>YzK|lGnB0B8%ED1}c^FPDcgko)@G1G%3Plk|@~89X{oSDJ#o*2CRsWHbgnaLm
z42}8~?m#G4Ez%!@Z*G-a?#+Ga+_8DqTBHinZcoR{Dn)to*{V_x6p=@%v^ITc6R?KC
z-Q3OhAISViYP8Y~pQ1LXsT^CNYWl!chVH=z;4#B_Vqex!oyZ)Wv?!uSQqV{Co6}SL
z@7T1u6HHW^bY3VrHTw0B#fC9|d78@Y&y0IFqUy0p3CN-x2A#6qyc`r-Uemya{e^<g
z+ghZ_xQG<5bUbR->~uJ}ckr~)=qsgQL17~C_A$a{DQ9EJb#e+|#7TwkLTs!70a50!
zXQkyeRh+=<O&YeFF(F{9%BqKe&Dqa|k&&j!y5|6`aV4;7Of+GT{zdV|=PlKbZs!S!
z)noo0z*X-%69m4<SMn|cKTU43f;j(PpBN-?(T(qm!bCnuQ~*{aefeJ93RxiAz^Wy(
zx6z+sfHCvh5mMo*A&~Qtpj0ZhoJ?FrgzN+%=>fX@vH|UG!O+7&=tMX}H>i3IV!pOV
z1-MD3UKB%1i7UQOx&pl&m~5wthT~YSm1#HFT4~~mzu49RK-qP^J9lKG5hd5QuFfW-
zusVxoM=HN&QlafqZ|9EWm|vJEUo3fVfto^UR#phi<3ex@kFP6NWuAm2$L~S`R@&&E
zmu)0E2$Kd^9Q24JSu-ZBPPmdR!{MR}*k#6@#;nE0DfVLA+_JOtspdv`va43VYSx#1
z_=2zQT9bG}*Y&Wl!{RV_e71-z?zHgeAyr#=HKLk1DDYC}&t&?Ln%U1li>NU?Djj86
zBTe1wjHkDfW;v^lz!ze96g;~D-;$G&16^twm4WryO3Bzg(L|@KY5OB~Uz4fIyv*Nt
zGMsRJUEH`qZtgOe2_7)^q=DwOjJ#6M6SkK?FS@rl`_TAJgA4alttd=3n+3HjT(L*n
z^wlZWDZPn!+-CH^<ZDq*#j6r$P#2S?@N)=-)`4f^n*=qZewfB;JGKINK$wPn7}u`V
zfD)XSXgIbOF0;o_2lY)P(X6k3(f*!*Fo~vKb10Y~5`)bd!6nDLbL|>mx>+=57qp9!
z`q9XivWYa#&}g~e!E-lmp}b;}<*Y?Se?B9A$7E>!z^{=)+aN)yW5d;1FzOw_nd=A9
zwMO#ZU!x+0Kfg~PK8unj4rqH`H5gWaCiur(gKnE;S}iC)XzT$FnT=$~F6)cluf23y
z;a<{L2w+(cE_a+(Ce3JSkTs&A0zvf5%9C2t*wP{cC);i!uMaAf0<@m9PBlVvk}iyq
z2lzj;)=5YnYBK(|?|jZT4x5qISM|+hWqb`;=zV=V*8s5MCYF(s(Bq5t_x79CrgN}G
z1I+eVH~!f?R9HWKJPxN*ce%Q<m`N16P{+gQ%I_GPp#Y&*;Qztc^ow!uW4w4ytK!5L
zJ$fb>)3tw1_?uzT(+?Q}EBP_J`>_CxFT791Iu1ASDFhmM)Z@5hL9T@Y<tXCI&rDyw
zKF@E-oec`7CVdeeRahMPs3oSX4>^9)i92|~+<w=d(zz|c%F{Xuktrq-kb@~yy}dJ&
z=f`iLe*kf8ze~9egn_Qb%$vE}q1U?)nBQZ{tElnfomI#Ot=y+9QfK3bLaCPLY}&v@
zJ4}(?v?&{Dcp?7#ti%pC-IZqXjx`k%#VKLkb6``{1QMfi=6dwYcBhDAi!jOp(eV9?
ztD5iC6;}Ft@>kuu`nLoi^}uZUu+NTC1^M|RZ^X|cml7llTD)ECI!ax@v+?+i)9^AG
zZrs9q<$g=I-aJ-4x9TgeL!Ewimg^g+hCj*p?S9B=U`4x3b&-d(5Wn@St%1jvtwhnP
zMHO)AfJQ}R?ZduwekEz1PqV%JI;z7Ns`5d$ik`K22I@-zU4EcbEIIPr%&IF^Ty=~+
zqG2lHxB0At{3VjXJq@=@7<-v5lE`Uow}Y1~eYFe;ZMtixv6>iN=`8C#Ljmr9g!OCh
zh6MnH77wP#k{7dtbcv&z?PIxVmE};24%u`webr#6t^C)(P(i;xGCw5s0b9jf?ef}t
zsEDrE%E2I%r~Yx~^GUboGmyO8n^%54QVDpixv*>LVRtsI<oMM{H;i5h7BXi(>##B)
z92@r^PW=~rSdVCMtXm))>+)}%0dW4GiMZIvD1XhSzheFW0v&QCM5Xw!jZaBwH^X<{
zVDNu}j)r>s?p~n~7q4~QjF|Pa<KGL^pr3Yl)S4XPvYHn4#H@vCkE<8YFKbq&Y2M0G
zZX@aNG^P%gi^3Vh=*?UeJtpmq6N{F8TxY>a_-oCe4jLN2gae+ryU<&_tds?2fQ~@C
z8AR4jn)8IZm~On^pe^}*>#YrE3T8D8<g<-v{knZKS?t}L&5etnr{m1jp)vCI6*E(d
zVT^LJz`XRYxc0F9I4b1G{q^9nQKjm*kI!?*acv{9k4inWSdiMlnh{P+O`*^!w8N5R
zb>D-1^92WcxT<SmB73u=Df3`wE$SV<WgbSKourou*4d<XtY34HRc~Iddb*<U{!DbP
zKSmvZf`)jmQ8#^eG2d}4hO*W}Fm@nh!+yK}$V{wOL5!~>xrYsdaWwlx=4!iJOT$dh
zA*wv{oi{}HYxq_EnCTZL{zTOrL+~2!uWv%N9Q7g%@20*=5pru3>Wr@;0%WMp#0$6v
zXoTw<V^cCec6;vI4a0iB>EVRyyuyMdY%#b$<)9kw7@{fu#&ee=cX=Cu(#&#U-R2W&
z@r~^9Jewk>baX|ims1CKd<gn$wdnLg_vH%HpMgCK=<vN~4a+YdcAH2rqh3N?YfRo!
z?p8}QQVOC9e}$y+eD0%^4(t$3=e}x-AXd(ms-$_HD2v-z=j#wQvx!<=&kw8!N2_i#
z%-9vrk7OQ%=F1Lv+T~ib9u3?s3}EimQf-HG8^zp6>9n;dTW~P})Br~OKI2NY+gfXu
zrmu52e`Slk3;@e^?m#4Tl;42mKeJ{YXBomhE;j5@OsO12?}e%l{W8Dr$gKu@TupBA
zX;m`XCDvH5uvQB-MDA$y?W|@1yYg{z7)+H7zj)K(a0L+41u%+Z7j%#2BaOIlKx%<*
zVqZ7<3Pv*Ye8TRyWA0{Yz11JYc_&_zzpXItJ=Vuz7NkzYo9cq^np$A}_JX0}b78Q1
z%NldfFL=Pe69*QL!;mahqu#~;PQ1?ynKed;QdW`{K-|r`rwFu$@~sNo8NtS@%TfE*
z;rIctoSB8!0y1nT6mg5~#8j=+IoRgqwb3W>DJ6v96F2@lU*#~Ni8-oF;nXV*tl$XG
zz3NE$c1`l^0{o70+Hs%I^ZUVGIbPXRK$h@`wIAcvjeN*O;{%?>Y^@e{XP>M<t{nsa
zizm_8Lz!Xe4rh<$mYY8iW-Ri)0AVBK<BR!7^g&hZ(d^=n^G^4LD$Ba&LJ`$e4YgUO
z1)mPj#bcJ7yg4Jj9|sW6^77|+QNB%grHx=wgPv7myrpN5_8}4x8`B7~jS!r1M!m*_
zDWrsaxpdkrvt68|->V>_*Ax*#_)TR-S#e-Cjuajrtea>ZoAG&iL)0{6LWm*OFv`nK
zPiE#ia|BKEfntUpe3es-(f@<BFA}&yz=VybQ&=<S6PlgM7MU&Jlepa!sv5V78Llx)
z;^`0dm|Z@^#w({I0=PZtt0zn%CeUc%a)&#xct}{J(tlT#%~fVp1t*R#u6t;GpvSlG
zrCoe(67?+wt%&@kC(H{{X7m*7vlSFYd*9npA)0S5FJqUy)O%^QlBdJr=r$mT=cu@D
z911ZGe5b$$so~PC{X!8Jxl<V89`Xv2rHYy*>vIAB<~@VzhfSo&$oFK?2K}L)bmjyw
zL=GX4bNL+svpDFmg+9CSn<9cbeF|y@Ql;wE*F)V<lV5Y%+32O?njdsZ*^X{!&h?bF
zMTi{E+*tiOqbj72v;46*avlGU%Ucl4=Q72?7)`9K_5BK<kEgI8OPj|#-zfoYTyNmd
zXe2jOwxjC{z;Tf?S0`2_@d`A?-5B`5KzOIZ9n?bapi>~#IFwNxSVEl@=$V49c~aUt
z7hb`<_Ffc<nfjwC(Tgcf&4PUr9Zcp(wc%uqDtW8QM$R*RK^mO7#}m@|ySF_;zd5kk
zUy~H(Qn4iVhFa~HA*n){2J4qi%T9%y+B@Y86{oGIF&;>cws3(wnX=ce5*Z8goX2I?
z%Z6;fZ!UrkM$$K`^$8U}eV*>3L)?Gh8-(j~v4nSm-JF61D1fLIp4HHp_wwTj>)3e`
zulO{Q>^u0+M0<AJ{Nf3=neteT2SR0rIkCMYSOjh>``EnE3fqE{8o!ln708qohY*Y(
zGWUPq_2&DC5F6z8N7LbLdB?EXO>RF)J?K6EtF*gJf}Z3akbpizxn7s}kRRGjMXdxn
zO39{19Q{O}%4cu6E<?nc6%Wo^JL4y1&$c5FRwrK77tXW~J`m;S*>3B@TEKml%_RkY
zVbX~<XrO<?*zA4Rj-BqN&#3KL(mAC9=b+<pK=p>3nM3Nam|5(RNH{bFco-ER_A-KR
z49sZDg#EdiQ*GaVoc$umPG_B$=Sw->7p*Lr&WI&J5^{6hfFz+7yHU0)oXakxo=L5j
z`?pFqUGm>_Ex<_5MonA{p=j|?;%Su#M~rjJt_OxZlE(n!?*)@)xAyOHAOLX&6%M#$
zTJ||v(?F=eemoNXBVrw=lX~LyX!veklM+OCzT8eIFV-p195hf5oWh|Ta|tcKh@rsk
z^NeWnq$K=2P}W2)XgExL#h&ObgMm7N<8K5?jGMso?B_6F6LXheRL`0IT{;p`kvyU6
ztf#R>t$#7|Xrhs{sDVUKpU;jQb(8hB2b8~)omHEed=(JdL)3fjo>ffnP8I1xSQ?tW
z;3>MQB2~wASXPR=6kTlr<5hZ4cb1lauaSI(X^g>WE>aI)aPxE(M)EcdH0X2x<Bb9L
zJD_@Du}GZE?!c1q=EJ=W@7vcR!8KK@9JYk&b#11W&wRbDv5A2PtaGAwfddmLmFO*l
zj)dhknV0fR#;~Jkl<gmy6VF}0IaQpdWz;L%u1l~Qc<|#;a4?<F6LNKzKaK9zDzohu
zfU4C}kx-)@$4lJo73xdSZMujXu*chnx2>u1t6zj5r~ay_iZSH%4ski^TV4k2cwpG*
ziX5Y)NsDqSP|YQj12JdAM6)H$GeD!SC6Z>m&95F+d<k$<j&44*;nSTaD9H+p$lbS;
zbdm6M=)!vS+Cmmy?aNAG=v;S|toYJt{#@8mb(s!_xP{Dj`eTiam%EeGn6P^`m0VC>
zZ0ggw(SJXipm%;a-}0Q-5O?5HB=Dt?vFyyM>k&yU-+XJ$v=0*pwRqwznF+^14m&kd
zDIzh49&<NC2H9ER2W}FlAZ8%rKS2-c1?VLj=^jNX$RK4G$q%aw>TV=^!S!;I7bpn?
z0rCEML!cm|Bcajp+~hc6IH{P${6RA`7s$#@#nE-NSfQQ}Tc2^}ET4Kp!+bX>m{4Qm
J<oVyI_aAIlS@r+`

literal 0
HcmV?d00001

diff --git a/go.mod b/go.mod
index b5b9d918d..afafbf2bf 100644
--- a/go.mod
+++ b/go.mod
@@ -93,4 +93,5 @@ require (
 	google.golang.org/protobuf v1.34.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.4.0
 )
diff --git a/go.sum b/go.sum
index c5479c754..7a9fd25da 100644
--- a/go.sum
+++ b/go.sum
@@ -302,3 +302,5 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
+software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
diff --git a/internal/powerplatform/api/auth.go b/internal/powerplatform/api/auth.go
index b12e5dfab..5d79c9df9 100644
--- a/internal/powerplatform/api/auth.go
+++ b/internal/powerplatform/api/auth.go
@@ -21,6 +21,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	config "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/config"
+	helpers "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/helpers"
 )
 
 type TokenExpiredError struct {
@@ -59,9 +60,32 @@ func NewAuthBase(config *config.ProviderConfig) *Auth {
 	}
 }
 
-// func (client *Auth) GetAuthority(tenantid string) string {
-// 	return constants.OAUTH_AUTHORITY_URL + tenantid
-// }
+func (client *Auth) AuthenticateClientCertificate(ctx context.Context, scopes []string) (string, time.Time, error) {
+
+	cert, key, err := helpers.ConvertBase64ToCert(client.config.Credentials.ClientCertificateRaw, client.config.Credentials.ClientCertificatePassword)
+	if err != nil {
+		return "", time.Time{}, err
+	}
+
+	azureCertCredentials, err := azidentity.NewClientCertificateCredential(
+		client.config.Credentials.TenantId,
+		client.config.Credentials.ClientId,
+		cert,
+		key,
+		&azidentity.ClientCertificateCredentialOptions{
+			ClientOptions: azcore.ClientOptions{
+				Cloud: client.config.Cloud,
+			},
+		},
+	)
+	accessToken, err := azureCertCredentials.GetToken(ctx, policy.TokenRequestOptions{
+		Scopes: scopes,
+	})
+	if err != nil {
+		return "", time.Time{}, err
+	}
+	return accessToken.Token, accessToken.ExpiresOn, nil
+}
 
 func (client *Auth) AuthenticateUsingCli(ctx context.Context, scopes []string) (string, time.Time, error) {
 	azureCLICredentials, err := azidentity.NewAzureCLICredential(nil)
@@ -259,7 +283,8 @@ func (client *Auth) GetTokenForScopes(ctx context.Context, scopes []string) (*st
 		token, tokenExpiry, err = client.AuthenticateUsingCli(ctx, scopes)
 	case client.config.Credentials.IsOidcProvided():
 		token, tokenExpiry, err = client.AuthenticateOIDC(ctx, scopes)
-
+	case client.config.Credentials.IsClientCertificateCredentialsProvided():
+		token, tokenExpiry, err = client.AuthenticateClientCertificate(ctx, scopes)
 	default:
 		return nil, errors.New("no credentials provided")
 	}
diff --git a/internal/powerplatform/config/config.go b/internal/powerplatform/config/config.go
index 6e8ddc677..a85ea2a71 100644
--- a/internal/powerplatform/config/config.go
+++ b/internal/powerplatform/config/config.go
@@ -32,12 +32,31 @@ type ProviderCredentials struct {
 	ClientId     string
 	ClientSecret string
 
+	ClientCertificatePassword string
+	ClientCertificateRaw      string
+
 	OidcRequestToken  string
 	OidcRequestUrl    string
 	OidcToken         string
 	OidcTokenFilePath string
 }
 
+func (model *ProviderCredentials) IsClientSecretCredentialsProvided() bool {
+	return model.ClientId != "" && model.ClientSecret != "" && model.TenantId != ""
+}
+
+func (model *ProviderCredentials) IsClientCertificateCredentialsProvided() bool {
+	return model.ClientCertificateRaw != ""
+}
+
+func (model *ProviderCredentials) IsCliProvided() bool {
+	return model.UseCli
+}
+
+func (model *ProviderCredentials) IsOidcProvided() bool {
+	return model.UseOidc
+}
+
 type ProviderCredentialsModel struct {
 	UseCli  types.Bool `tfsdk:"use_cli"`
 	UseOidc types.Bool `tfsdk:"use_oidc"`
@@ -49,24 +68,12 @@ type ProviderCredentialsModel struct {
 	ClientId     types.String `tfsdk:"client_id"`
 	ClientSecret types.String `tfsdk:"client_secret"`
 
+	ClientCertificateFilePath types.String `tfsdk:"client_certificate_file_path"`
+	ClientCertificate         types.String `tfsdk:"client_certificate"`
+	ClientCertificatePassword types.String `tfsdk:"client_certificate_password"`
+
 	OidcRequestToken  types.String `tfsdk:"oidc_request_token"`
 	OidcRequestUrl    types.String `tfsdk:"oidc_request_url"`
 	OidcToken         types.String `tfsdk:"oidc_token"`
 	OidcTokenFilePath types.String `tfsdk:"oidc_token_file_path"`
 }
-
-// func (model *ProviderCredentials) IsTelemetryOprout() bool {
-// 	return model.TelemetryOptout
-// }
-
-func (model *ProviderCredentials) IsClientSecretCredentialsProvided() bool {
-	return model.ClientId != "" && model.ClientSecret != "" && model.TenantId != ""
-}
-
-func (model *ProviderCredentials) IsCliProvided() bool {
-	return model.UseCli
-}
-
-func (model *ProviderCredentials) IsOidcProvided() bool {
-	return model.UseOidc
-}
diff --git a/internal/powerplatform/helpers/cert.go b/internal/powerplatform/helpers/cert.go
new file mode 100644
index 000000000..6abfb2746
--- /dev/null
+++ b/internal/powerplatform/helpers/cert.go
@@ -0,0 +1,75 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+package powerplatform_helpers
+
+import (
+	"crypto"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+
+	pkcs12 "software.sslmate.com/src/go-pkcs12"
+)
+
+func GetCertificateRawFromCertOrFilePath(certificate, certificateFilePath string) (string, error) {
+	if certificate != "" {
+		return strings.TrimSpace(certificate), nil
+	}
+	if certificateFilePath != "" {
+		pfx, err := os.ReadFile(certificateFilePath)
+		if err != nil {
+			return "", err
+		}
+		certAsBase64 := base64.StdEncoding.EncodeToString(pfx)
+		return strings.TrimSpace(certAsBase64), nil
+	}
+	return "", errors.New("either client_certificate base64 or certificate_file_path must be provided")
+}
+
+func ConvertBase64ToCert(b64, password string) ([]*x509.Certificate, crypto.PrivateKey, error) {
+	pfx, err := convertBase64ToByte(b64)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certs, key, err := convertByteToCert(pfx, password)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certs, key, nil
+}
+
+func convertBase64ToByte(b64 string) ([]byte, error) {
+	if b64 == "" {
+		return nil, errors.New("got empty base64 certificate data")
+	}
+
+	pfx, err := base64.StdEncoding.DecodeString(b64)
+	if err != nil {
+		return pfx, fmt.Errorf("could not decode base64 certificate data: %w", err)
+	}
+
+	return pfx, nil
+}
+
+func convertByteToCert(certData []byte, password string) ([]*x509.Certificate, crypto.PrivateKey, error) {
+	var key crypto.PrivateKey
+
+	key, cert, _, err := pkcs12.DecodeChain(certData, password)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if cert == nil {
+		return nil, nil, errors.New("found no certificate")
+	}
+
+	certs := []*x509.Certificate{cert}
+
+	return certs, key, nil
+}
diff --git a/internal/powerplatform/provider.go b/internal/powerplatform/provider.go
index bf3454ed9..be70f147d 100644
--- a/internal/powerplatform/provider.go
+++ b/internal/powerplatform/provider.go
@@ -5,7 +5,9 @@ package powerplatform
 
 import (
 	"context"
+	"fmt"
 	"os"
+	"regexp"
 
 	azcloud "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
@@ -17,6 +19,7 @@ import (
 	constants "github.com/microsoft/terraform-provider-power-platform/constants"
 	api "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/api"
 	config "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/config"
+	helpers "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/helpers"
 	application "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/services/application"
 	auth "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/services/authorization"
 	connectors "github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/services/connectors"
@@ -104,6 +107,20 @@ func (p *PowerPlatformProvider) Schema(ctx context.Context, req provider.SchemaR
 				Optional:            true,
 				Sensitive:           true,
 			},
+			"client_certificate": schema.StringAttribute{
+				MarkdownDescription: "Base64 encoded PKCS#12 certificate bundle. For use when authenticating as a Service Principal using a Client Certificate.",
+				Optional:            true,
+				Sensitive:           true,
+			},
+			"client_certificate_file_path": schema.StringAttribute{
+				MarkdownDescription: "The path to the Client Certificate associated with the Service Principal for use when authenticating as a Service Principal using a Client Certificate.",
+				Optional:            true,
+			},
+			"client_certificate_password": schema.StringAttribute{
+				MarkdownDescription: "The password associated with the Client Certificate. For use when authenticating as a Service Principal using a Client Certificate.",
+				Optional:            true,
+				Sensitive:           true,
+			},
 			"use_oidc": schema.BoolAttribute{
 				Description:         "Allow OpenID Connect to be used for authentication",
 				MarkdownDescription: "Allow OpenID Connect to be used for authentication",
@@ -198,6 +215,30 @@ func (p *PowerPlatformProvider) Configure(ctx context.Context, req provider.Conf
 		useCli = config.UseCli.ValueBool()
 	}
 
+	clientCertificate := ""
+	envClientCertificate := os.Getenv("POWER_PLATFORM_CLIENT_CERTIFICATE")
+	if config.ClientCertificate.IsNull() {
+		clientCertificate = envClientCertificate
+	} else {
+		clientCertificate = config.ClientCertificate.ValueString()
+	}
+
+	clientCertificateFilePath := ""
+	envClientCertificateFilePath := os.Getenv("POWER_PLATFORM_CLIENT_CERTIFICATE_FILE_PATH")
+	if config.ClientCertificateFilePath.IsNull() {
+		clientCertificateFilePath = envClientCertificateFilePath
+	} else {
+		clientCertificateFilePath = config.ClientCertificateFilePath.ValueString()
+	}
+
+	clientCertificatePassword := ""
+	envClientCertificatePassword := os.Getenv("POWER_PLATFORM_CLIENT_CERTIFICATE_PASSWORD")
+	if config.ClientCertificatePassword.IsNull() {
+		clientCertificatePassword = envClientCertificatePassword
+	} else {
+		clientCertificatePassword = config.ClientCertificatePassword.ValueString()
+	}
+
 	//Check for AzDO and GitHub environment variables
 	oidcRequestUrl := ""
 	envOidcRequestUrl := MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL"})
@@ -231,18 +272,25 @@ func (p *PowerPlatformProvider) Configure(ctx context.Context, req provider.Conf
 		oidcTokenFilePath = config.OidcTokenFilePath.ValueString()
 	}
 
+	ctx = tflog.SetField(ctx, "telemetry_optout", config.TelemetryOptout.ValueBool())
 	ctx = tflog.SetField(ctx, "use_oidc", useOidc)
 	ctx = tflog.SetField(ctx, "use_cli", useCli)
 	ctx = tflog.SetField(ctx, "cloud", cloud)
+
 	ctx = tflog.SetField(ctx, "power_platform_tenant_id", tenantId)
 	ctx = tflog.SetField(ctx, "power_platform_client_id", clientId)
 	ctx = tflog.SetField(ctx, "power_platform_client_secret", clientSecret)
+	ctx = tflog.MaskFieldValuesWithFieldKeys(ctx, "power_platform_client_secret")
+
+	ctx = tflog.SetField(ctx, "client_certificate_file_path", clientCertificateFilePath)
+	ctx = tflog.SetField(ctx, "client_certificate", clientCertificate)
+	ctx = tflog.SetField(ctx, "client_certificate_password", clientCertificatePassword)
+	ctx = tflog.MaskAllFieldValuesRegexes(ctx, regexp.MustCompile(`(?i)client_certificate`))
+
 	ctx = tflog.SetField(ctx, "oidc_request_url", oidcRequestUrl)
 	ctx = tflog.SetField(ctx, "oidc_request_token", oidcRequestToken)
 	ctx = tflog.SetField(ctx, "oidc_token", oidcToken)
 	ctx = tflog.SetField(ctx, "oidc_token_file_path", oidcTokenFilePath)
-	ctx = tflog.SetField(ctx, "telemetry_optout", config.TelemetryOptout.ValueBool())
-	ctx = tflog.MaskFieldValuesWithFieldKeys(ctx, "power_platform_client_secret")
 	ctx = tflog.MaskFieldValuesWithFieldKeys(ctx, "oidc_request_token")
 	ctx = tflog.MaskFieldValuesWithFieldKeys(ctx, "oidc_token")
 	ctx = tflog.MaskFieldValuesWithFieldKeys(ctx, "oidc_token_file_path")
@@ -250,6 +298,9 @@ func (p *PowerPlatformProvider) Configure(ctx context.Context, req provider.Conf
 	if config.UseCli.ValueBool() {
 		p.Config.Credentials.UseCli = true
 	} else if config.UseOidc.ValueBool() {
+		ValidateProviderAttribute(resp, path.Root("tenant_id"), "tenant id", tenantId, "POWER_PLATFORM_TENANT_ID")
+		ValidateProviderAttribute(resp, path.Root("client_id"), "client id", clientId, "POWER_PLATFORM_CLIENT_ID")
+
 		p.Config.Credentials.UseOidc = true
 		p.Config.Credentials.TenantId = tenantId
 		p.Config.Credentials.ClientId = clientId
@@ -257,38 +308,27 @@ func (p *PowerPlatformProvider) Configure(ctx context.Context, req provider.Conf
 		p.Config.Credentials.OidcRequestUrl = oidcRequestUrl
 		p.Config.Credentials.OidcToken = oidcToken
 		p.Config.Credentials.OidcTokenFilePath = oidcTokenFilePath
+	} else if clientCertificatePassword != "" && (clientCertificate != "" || clientCertificateFilePath != "") {
+		ValidateProviderAttribute(resp, path.Root("tenant_id"), "tenant id", tenantId, "POWER_PLATFORM_TENANT_ID")
+		ValidateProviderAttribute(resp, path.Root("client_id"), "client id", clientId, "POWER_PLATFORM_CLIENT_ID")
 
+		cert, err := helpers.GetCertificateRawFromCertOrFilePath(clientCertificate, clientCertificateFilePath)
+		if err != nil {
+			resp.Diagnostics.AddAttributeError(path.Root("client_certificate"), "Error getting certificate", err.Error())
+		}
+		p.Config.Credentials.ClientCertificateRaw = cert
+		p.Config.Credentials.ClientCertificatePassword = clientCertificatePassword
+		p.Config.Credentials.TenantId = tenantId
+		p.Config.Credentials.ClientId = clientId
 	} else {
-
-		if clientId != "" && clientSecret != "" && tenantId != "" {
+		if tenantId != "" && clientId != "" && clientSecret != "" {
 			p.Config.Credentials.TenantId = tenantId
 			p.Config.Credentials.ClientId = clientId
 			p.Config.Credentials.ClientSecret = clientSecret
 		} else {
-			if tenantId == "" {
-				resp.Diagnostics.AddAttributeError(
-					path.Root("tenant_id"),
-					"Unknown API tenant id",
-					"The provider cannot create the API client as there is an unknown configuration value for the tenant id. "+
-						"Either target apply the source of the value first, set the value statically in the configuration, or use the POWER_PLATFORM_TENANT_ID environment variable.",
-				)
-			}
-			if clientId == "" {
-				resp.Diagnostics.AddAttributeError(
-					path.Root("client_id"),
-					"Unknown client id",
-					"The provider cannot create the API client as there is an unknown configuration value for the client id. "+
-						"Either target apply the source of the value first, set the value statically in the configuration, or use the POWER_PLATFORM_CLIENT_ID environment variable.",
-				)
-			}
-			if clientSecret == "" {
-				resp.Diagnostics.AddAttributeError(
-					path.Root("client_secret"),
-					"Unknown client secret",
-					"The provider cannot create the API client as there is an unknown configuration value for the client secret. "+
-						"Either target apply the source of the value first, set the value statically in the configuration, or use the POWER_PLATFORM_CLIENT_SECRET environment variable.",
-				)
-			}
+			ValidateProviderAttribute(resp, path.Root("tenant_id"), "tenant id", tenantId, "POWER_PLATFORM_TENANT_ID")
+			ValidateProviderAttribute(resp, path.Root("client_id"), "client id", clientId, "POWER_PLATFORM_CLIENT_ID")
+			ValidateProviderAttribute(resp, path.Root("client_secret"), "client secret", clientSecret, "POWER_PLATFORM_CLIENT_SECRET")
 		}
 	}
 
@@ -409,6 +449,21 @@ func (p *PowerPlatformProvider) DataSources(ctx context.Context) []func() dataso
 	}
 }
 
+func ValidateProviderAttribute(resp *provider.ConfigureResponse, path path.Path, name, value string, environmentVariableName string) {
+
+	environmentVariableText := "Target apply the source of the value first, set the value statically in the configuration."
+	if environmentVariableName != "" {
+		environmentVariableText = fmt.Sprintf("Either target apply the source of the value first, set the value statically in the configuration, or use the %s environment variable.", environmentVariableName)
+	}
+
+	if value == "" {
+		resp.Diagnostics.AddAttributeError(
+			path,
+			fmt.Sprintf("Unknown %s", name),
+			fmt.Sprintf("The provider cannot create the API client as there is an unknown configuration value for %s. %s", name, environmentVariableText))
+	}
+}
+
 //TODO figure out how to return these defaultfuncs to their former interface-based glory
 
 // MultiEnvDefaultFunc is a helper function that returns the value of the first
diff --git a/templates/index.md.tmpl b/templates/index.md.tmpl
index 1939488d8..2bcc51e81 100644
--- a/templates/index.md.tmpl
+++ b/templates/index.md.tmpl
@@ -84,6 +84,7 @@ provider "powerplatform" {
 ```
 
 Additional Resources about OIDC:
+
 * [OpenID Connect authentication with Microsoft Entra ID](https://learn.microsoft.com/entra/architecture/auth-oidc)
 * [Configuring OpenID Connect for GitHub and Microsoft Entra ID](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)
 
@@ -95,6 +96,49 @@ The Power Platform provider can use a Service Principal with Client Secret to au
 1. [Register your app registration with Power Platform](https://learn.microsoft.com/power-platform/admin/powerplatform-api-create-service-principal#registering-an-admin-management-application)
 1. Configure the provider to use a Service Principal with a Client Secret with either environment variables or using Terraform variables
 
+### Authenticating to Power Platfomr using Service Principal and certificate
+
+1. [Create an app registration for the Power Platform Terraform Provider](guides/app_registration.md)
+1. [Register your app registration with Power Platform](https://learn.microsoft.com/power-platform/admin/powerplatform-api-create-service-principal#registering-an-admin-management-application)
+1. Generate a certificate using openssl or other tools
+
+```bash
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
+```
+
+4. Merge public and private part of the certificate files together
+
+Using linux shell
+
+```bash
+cat *.pem > cert+key.pem
+```
+
+Using Powershell
+
+```powershell
+Get-Content .\cert.pem, .\key.pem | Set-Content cert+key.pem
+```
+
+5. Generate pkcs12 file
+
+```bash
+openssl pkcs12 -export -out cert.pkcs12 -in cert+key.pem
+```
+
+6. Add public part of the certificate (`cert.pem` file) to the app registration
+7. Store your key.pem and the password used to generate in a safe place
+8. Configure the provider to use certificate with the following code:
+
+```terraform
+provider "powerplatform" {
+  client_id     = var.client_id
+  tenant_id     = var.tenant_id
+  client_certificate_file_path = "${path.cwd}/cert.pkcs12"
+  client_certificate_password  = var.cert_pass
+}
+```
+
 #### Using Environment Variables
 
 We recomend using Environment Variables to pass the credentials to the provider.
@@ -104,12 +148,18 @@ We recomend using Environment Variables to pass the credentials to the provider.
 | `POWER_PLATFORM_CLIENT_ID` | The service principal client id | |
 | `POWER_PLATFORM_CLIENT_SECRET` | The service principal secret | |
 | `POWER_PLATFORM_TENANT_ID` | The guid of the tenant | |
+| `POWER_PLATFORM_CLOUD` | override for the cloud used (default is `public`) | |
+| `POWER_PLATFORM_USE_OIDC` | if set to `true` then OIDC authentication will be used | |
+| `POWER_PLATFORM_USE_CLI` | if set to `true` then Azure CLI authentication will be used | |
+| `POWER_PLATFORM_CLIENT_CERTIFICATE` | The Base64 format of your certificate that will be used to certificate based authentication | |
+| `POWER_PLATFORM_CLIENT_CERTIFICATE_FILE_PATH` | The path to the certificate that will be used to certificate based authentication | |
+| `POWER_PLATFORM_CLIENT_CERTIFICATE_PASSWORD` | Password for the provider certificate | |
 
 -> Variables passed into the provider will override the environment variables.
 
 #### Using Terraform Variables
 
-Alternatively, you can configure the provider using variables in your Terraform configuration which can be passed in via [command line parameters](https://developer.hashicorp.com/terraform/language/values/variables#variables-on-the-command-line), [a `*.tfvars` file](https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files), or [environment variables](https://developer.hashicorp.com/terraform/language/values/variables#environment-variables).  If you choose to use variables, please be sure to [protect sensitive input variables](https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables) so that you do not expose your credentials in your Terraform configuration. 
+Alternatively, you can configure the provider using variables in your Terraform configuration which can be passed in via [command line parameters](https://developer.hashicorp.com/terraform/language/values/variables#variables-on-the-command-line), [a `*.tfvars` file](https://developer.hashicorp.com/terraform/language/values/variables#variable-definitions-tfvars-files), or [environment variables](https://developer.hashicorp.com/terraform/language/values/variables#environment-variables).  If you choose to use variables, please be sure to [protect sensitive input variables](https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables) so that you do not expose your credentials in your Terraform configuration.
 
 ```terraform
 provider "powerplatform" {
@@ -132,7 +182,7 @@ In addition to the authentication options, the following options are also suppor
 
 Use the navigation to the left to read about the available resources and data sources.
 
-!> By calling `terraform destroy` all the resources, that you've created, will be deleted permamently deleted. Please be careful with this command when working with production environments. You can use [prevent-destory](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#prevent_destroy) lifecycle argument in your resources to prevent accidental deletion.  
+!> By calling `terraform destroy` all the resources, that you've created, will be deleted permamently deleted. Please be careful with this command when working with production environments. You can use [prevent-destroy](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#prevent_destroy) lifecycle argument in your resources to prevent accidental deletion.  
 
 ## Examples