Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This page answers frequently asked questions about managing the certificates for apps using Microsoft Entra ID as an Identity Provider (IdP).
Is there a way to generate a list of expiring SAML signing certificates?
You can export all app registrations with expiring secrets, certificates, and their owners for the specified apps from your directory in a CSV file through PowerShell scripts.
How can I automate the certificates expiration notifications?
Microsoft Entra ID sends an email notification 60, 30, and 7 days before the SAML certificate expires. You might add more than one email address to receive notifications.
Note
You can add up to five email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.
The option to edit or customize these email notifications received from aadnotification@microsoft.com doesn't exist. However, you can export app registrations with expiring secrets and certificates through PowerShell scripts.
Who can update the certificates?
The owner of the application or Application Administrator can update the certificates through Microsoft Entra admin center UI, PowerShell, or Microsoft Graph.
What is Microsoft Entra ID signing key rollover?
You can find more details here.
How do I renew application token encryption certificate?
To renew an application token encryption certificate, see How to renew a token encryption certificate for an enterprise application.
How do I update Microsoft Entra ID after changing my federation certificates?
To update Microsoft Entra ID after changing your federation certificates, see Renew federation certificates for Microsoft 365 and Microsoft Entra ID.