If a certificate tied to a Microsoft Entra ID App Registration, service principal, or SAML-based SSO integration expires, authentication fails immediately. Apps stop working, automation scripts break, and users cannot sign in. This guide shows you exactly how to renew expired Azure certificates, update every dependent service, and prevent it from happening again.

Why Certificates Are Critical for Azure App Authentication
Azure relies on certificates to:
- Securely authenticate applications and service principals
- Enable SAML-based Single Sign-On (SSO) with services like Salesforce, AWS, or ServiceNow
- Sign and encrypt tokens in federation scenarios such as ADFS
When a certificate expires, Azure can no longer issue or validate tokens. This breaks user sign-ins, background jobs, CI/CD pipelines, and API access.
Common Errors Caused by Expired Azure Certificates
Expired certificates often surface as authentication errors, including:
- AADSTS700027 – Client assertion contains an expired certificate
- AADSTS50058 – Silent sign-in request failed (session expired or no active session)
- SAML authentication failed due to invalid signing certificate
- Token signature validation failed in federation or API scenarios
If these appear suddenly, always check certificate expiry first.
Step 1: Identify the Expired Certificate
- Sign in to the Azure portal
- Go to Microsoft Entra ID
- Open App registrations or Enterprise applications
- Select the affected application
- Navigate to Certificates & secrets
- Review the certificate list and check expiration dates
Replace any expired or near-expiry certificate immediately.
Step 2: Generate a New Certificate
You can use either a self-signed certificate (testing or internal use) or a CA-issued certificate (recommended for production).
Option A: Create a Self-Signed Certificate (Windows)
The New-SelfSignedCertificate cmdlet generates a certificate directly in your Windows certificate store:
New-SelfSignedCertificate `
-Subject "CN=AppName" `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyExportPolicy Exportable `
-KeySpec SignatureExport the certificate as:
.certo upload to Azure.pfxfor use by apps, scripts, or pipelines
Option B: Use a CA-Issued Certificate
Request a certificate from your internal or third-party Certificate Authority and export it as a .cer file. For production workloads, CA-issued certificates are strongly recommended.
Step 3: Upload the New Certificate to Azure
Full guidance is available in the Microsoft Entra app registration certificate documentation.
- Open the App Registration in Azure
- Go to Certificates & secrets
- Click Upload certificate
- Select the new
.cerfile - Click Save
Azure immediately trusts the new certificate once you save.
Step 4: Verify the New Certificate Works
Before touching any dependent services, confirm the new certificate authenticates correctly.
Using PowerShell:
$cert = Get-Item "Cert:\CurrentUser\My\<thumbprint>"
$tenantId = "<your-tenant-id>"
$appId = "<your-app-id>"
Connect-AzAccount -ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $cert.ThumbprintIf this returns a valid session, the certificate is working. Only proceed to Step 5 after this confirms success.
Using Azure CLI:
az login --service-principal \
--username <app-id> \
--tenant <tenant-id> \
--password <path-to-cert.pfx>A successful login output confirms the new certificate is trusted by Azure.
Step 5: Update Dependent Applications and Services
Uploading the certificate in Azure alone is not enough. Every service that uses the old certificate must be updated.
Automation Scripts and CI/CD Pipelines
- Replace the old
.pfxfile with the new one - Update configuration files or secret references
- Restart pipelines or services if required
SAML-Based SSO Integrations
SAML applications in Azure use a dedicated signing certificate that needs updating in two places.
In Azure:
- Go to Microsoft Entra ID > Enterprise applications
- Select the affected application
- Go to Single sign-on > SAML Certificates section
- Click Edit and add the new certificate
- Set it as Active
- Download the new Federation Metadata XML or Certificate (Base64)
In the third-party service (Salesforce, AWS, ServiceNow, etc.):
- Open the SSO or SAML settings in the third-party portal
- Replace the old signing certificate with the downloaded
.ceror Base64 certificate - Save and test a sign-in before removing the old certificate from Azure
ADFS and Federation Scenarios
- Ensure relying parties trust the updated token signing or decryption certificate
- Run
Update-MSOLFederatedDomainif ADFS federation metadata needs refreshing - Validate federation trust after renewal with a test login
Step 6: Remove the Expired Certificate
Once the new certificate is fully validated across all services:
- Go back to Certificates & secrets
- Delete the expired certificate
This avoids confusion and prevents accidental rollbacks.
How to Renew Expired Azure Certificates Without Causing Downtime
To avoid outages during renewal:
- Upload the new certificate before the old one expires
- Update applications to use the new certificate
- Verify authentication and token issuance across all dependent services
- Remove the old certificate only after full validation
Azure supports multiple active certificates, which makes seamless rollover possible without any authentication gap.
Azure CLI Alternative (For DevOps Teams)
You can reset credentials using Azure CLI. Always use --append to avoid wiping existing certificates:
az ad app credential reset \
--id <app-id> \
--cert <path-to-cert> \
--appendWithout --append, this command deletes all existing certificates and secrets on the app registration, causing immediate downtime.
How to Automate Certificate Renewal Using Azure Key Vault
Azure Key Vault removes the risk of manual renewal entirely. Microsoft’s Key Vault certificate management documentation covers advanced policy options in detail. Here is how to set it up:
- Go to Azure Key Vault > Certificates > Generate/Import
- Choose Generate and set the subject name to match your app (e.g.,
CN=AppName) - Set the validity period (24 or 36 months recommended)
- Under Advanced Policy Configuration, enable Auto-Renewal and set a renewal threshold (e.g., 30 days before expiry)
- Configure Azure Monitor alerts on the Key Vault to notify your team when certificates approach expiry
- Assign a Managed Identity to your application so it can retrieve certificates without storing credentials in code
Once configured, Key Vault renews certificates automatically and your applications pull the latest version at runtime. This eliminates emergency renewals and reduces operational risk.
Best Practices to Prevent Future Certificate Expiry Issues
- Always add a new certificate before the current one expires
- Use Azure Key Vault for secure storage and automated rotation
- Configure monitoring or alerting for certificate expiry in Azure Monitor
- Prefer 2 to 3 year validity where policy allows
- Maintain a documented renewal SOP for your team
FAQs: Renew Expired Certificates for Azure Authentication
What does renewing expired Azure certificates mean?
It means replacing an authentication certificate used by an App Registration, service principal, or SSO setup in Microsoft Entra ID. Once a certificate expires, Azure rejects authentication requests, causing login failures and broken automation.
How do I check if my Azure certificate has expired?
Open App registrations > Certificates & secrets in the Azure portal and check the expiration column. If authentication fails with AADSTS700027, an expired certificate is the most likely cause.
What error appears when an Azure certificate expires?
The most common error is AADSTS700027, which means the client assertion contains an expired certificate. SAML sign-in failures and token validation errors are also common symptoms.
Can I renew an expired Azure certificate without downtime?
Yes. Azure supports multiple active certificates simultaneously. Upload the new certificate, validate it works, update all dependent services, then delete the old certificate. This sequence avoids any authentication gap.
Do I need to update applications after renewing an Azure certificate?
Yes. Any app, script, CI/CD pipeline, or SAML integration that uses the old certificate must be updated with the new .pfx or signing certificate. Uploading to Azure alone is not sufficient.
Should I use self-signed certificates for Azure authentication?
Self-signed certificates work for testing or internal tools. For production, always use CA-issued certificates to meet security, compliance, and trust requirements.
What happens if I delete an expired certificate too early?
If you delete it before updating all dependent services, authentication will still fail. Always confirm the new certificate works everywhere before removing the old one.
Does Azure Key Vault support automatic certificate renewal?
Yes. Key Vault supports full certificate lifecycle management including auto-renewal, expiry notifications, and secure storage. It is the recommended approach for managing Azure authentication certificates at scale.
Related Guides
