Trying to connect to azuread with SPN using cert and only do AAD only activity (like group management)

I have a simple that is attempting to create a new group in azure AD with an SPN and cert authentication. I’m not a hard core terraform, but have worked with in the past using SPNs and secrets. Here is my

terraform {
required_providers {
azuread = {
source = “hashicorp/azuread”
version = “1.5.0”

provider “azuread” {

resource “azuread_group” “example” {
display_name = “zztstgrp01”

But I get the following error:

│ Error: getting authenticated object ID: adal: Refresh request failed. Status Code = ‘401’. Response body: {“error”:“invalid_client”,“error_description”:“AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: ‘88B00441D9B54F0A5726334A9FF9303D7B2B0DF5’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘00c6b0f7-0fc7-466c-a696-8dbb32762894’. Review the documentation at National cloud deployments - Microsoft Graph | Microsoft Docs to determine the corresponding service endpoint and Get application - Microsoft Graph v1.0 | Microsoft Docs to build a query request URL, such as ‘’]\r\nTrace ID: 28416850-550a-4e39-bb18-2defa2485300\r\nCorrelation ID: 5f848b92-853b-46da-9a51-46fc29557283\r\nTimestamp: 2021-07-30 02:53:47Z”,“error_codes”:[700027],“timestamp”:“2021-07-30 02:53:47Z”,“trace_id”:“28416850-550a-4e39-bb18-2defa2485300”,“correlation_id”:“5f848b92-853b-46da-9a51-46fc29557283”,“error_uri”:“”} Endpoint Sign in to your account

Can somebody please give me an example URL or tell me what I’m going wrong or missing. I should add that I’m running under powershell and I’ve set:

I do not have a client cert password, so I did not set.

Thank you,