Why does Azure AD use an inactive certificate instead of expired, active certificate?

Andre Dupre Kuiper 0 Reputation points

I created a new, inactive saml signing certificate for an Azure AD application (first image below). The app has an existing (active) but expired certificate. The new, inactive certificate was then presented to the SP as the signing certificate (second image below) causing an error as the SP had not been updated to use the new certificate.

Is this expected behavior? I could not find anything in the documentation that describes this.



Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,499 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 22,571 Reputation points Microsoft Employee

    Hi @Andre Dupre Kuiper ,

    Thanks for reaching out.

    This is expected behavior. When you have an existing certificate that is already expired and you generate a new certificate, the new certificate will be considered for signing tokens, even though you haven't activated it yet.

    Although in this case, users may experience application outage.

    If you intend to keep certificate expiry validation disabled and want to utilize the expired certificate, then the new certificate shouldn't be created.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on

    Hope this will help.



    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments