![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 14.000000000000002%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
25,080 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Looks like the application for which you are trying to renew the encryption certificate is a multi-tenant application.
It means this application in registered in another tenant and your only have a service principal which is created in your tenant for this application.
For, multi-tenant applications, the certificates has to be update on the tenant where it is initially registered.
To know in which tenant the actual application registered for corresponding service principal, you can follow below steps,
- Open Windows PowerShell as Administrator.
- Run command "Connect-AzureAD"
- Enter the global admin credentials of your tenant.
- Now run command " Get-AzureADServicePrincipal -ObjectId "<Object ID of service principal (app under enterprise application)>" | fl"
- In the output you can look for AppOwnerTenantId parameter.
The tenant ID that you see in above result is the tenant where your application is registered.
Token encryption key has to be updated in that tenant directory.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.