Public/Add-MoDCredentials.ps1

function Add-MoDCredentials {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [ValidateSet("EntraId")]
        [string] $Provider,
        [Parameter(Mandatory = $true)]
        [string] $TenantId,
        [Parameter(Mandatory = $true, ParameterSetName='Type')]
        [ValidateSet("Password","Certificate")]
        [string] $Type,
        [Parameter(Mandatory=$false, ValueFromPipeline=$true)]
        [PSObject]$MyCertificate
    )

    process {
        try {
            if ($Type -eq "Certificate") {
                if ($null -eq $MyCertificate) {
                    Write-Warning "With -Type 'Certificate' -MyCertificate [?|New|X509Certificate|X509Certificate.Thumbprint] is required"
                    return
                }
                if ($MyCertificate -is [System.Security.Cryptography.X509Certificates.X509Certificate] -or $MyCertificate -is [string]) {
                    if ($MyCertificate -is [string]) {
                        if ($MyCertificate -eq "New") {
                            $ou = $MyInvocation.MyCommand.Module.Name
                            $certArgs = @{
                                Subject = "CN=$TenantId, OU=$ou"
                                CertStoreLocation = 'Cert:\\CurrentUser\\My'
                                KeyAlgorithm = 'RSA'
                                KeyLength = 2048
                                HashAlgorithm = "SHA256"
                                NotAfter = (Get-Date).AddYears(2).ToUniversalTime()
                                TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
                                KeyUsage = "None"
                                FriendlyName = $ou
                            }
                            $cert = New-SelfSignedCertificate @certArgs
                        }
                        else {
                            $cert = Select-Certificate -CertificateThumbprint $MyCertificate
                            if ($cert -isnot [System.Security.Cryptography.X509Certificates.X509Certificate]) {
                                throw "Failed to get X509Certificate"
                            }
                        }
                    }
                    else {
                        $cert = $MyCertificate
                    }
                }
            }
            switch ($Provider) {
                "EntraId" {
                    $secret = Add-EntraMfaCredentials -TenantId $TenantId -Type $Type -Certificate $cert
                    Start-Sleep -Seconds 5  #Wait few secs to sync on cloud side before returning to caller, allows a working pipelining like => Add-Credential | Invoke-Mfa
                    if ($Type -eq "Password") {
                        return $secret
                    }
                    else {
                        return $cert.Thumbprint
                    }
                }
            }
        }
        catch {
            Write-Error $_.Exception.Message
            return
        }
    }
}