Renewed Azure Multifactor Auth Client Certificate still showing expired in Enterprise Applications

Question

Renewed Azure Multifactor Auth Client Certificate still showing expired in Enterprise Applications

Dvorak, David 70

Yesterday, a certificate for VPN MFA expired.

As stated in the accepted answer in this question: https://learn.microsoft.com/en-us/answers/questions/195259/tenantid-certificate-for-vpn-mfa-expired-how-renew

And going through the documentation: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-vpn#configure-certificates-for-use-with-the-nps-extension-by-using-a-powershell-script

We were successfull to generate a new certificate by executing the script.

Chechking if the script is correctly associated with the tenant:

Connect-MgGraph -Scopes 'Application.Read.All'
(Get-MgServicePrincipal -Filter "appid eq '981f26a1-7f43-403b-a875-f8b09b8cd720'" -Property "KeyCredentials").KeyCredentials | Format-List KeyId, DisplayName, StartDateTime, EndDateTime, @{Name = "Key"; Expression = {[System.Convert]::ToBase64String($_.Key)}}, @{Name = "Thumbprint"; Expression = {$Cert = New-object System.Security.Cryptography.X509Certificates.X509Certificate2; $Cert.Import([System.Text.Encoding]::UTF8.GetBytes([System.Convert]::ToBase64String($_.Key))); $Cert.Thumbprint}}

Was also successfull.

However, in our Azure Enterprise Applications, the certificate is still showing as expired:

User's image

My guess was, it just needed synchronizing but it didnt change. Did i miss a step or forgot something?

Thanks in advance for any help.

Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator

2024-04-12T04:05:26.3566667+00:00

@Dvorak, David

Thank you for posting this in Microsoft Q&A.

I am looking into this issue and will get back to you post my research.
Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator

2024-04-22T10:10:52.7666667+00:00

@Dvorak, David

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Accepted answer

1 additional answer

Your answer

Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator

2024-04-12T04:05:26.3566667+00:00

@Dvorak, David

Thank you for posting this in Microsoft Q&A.

I am looking into this issue and will get back to you post my research.
Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator

2024-04-22T10:10:52.7666667+00:00

@Dvorak, David

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Answer 1

Matthieu308 91

@Dvorak, David

I faced a similar issue, and the steps below resolved it for me:

Connect to your Microsoft Tenant via PowerShell using the command Connect-MsolService
Input the following command to retrieve the associated Service Principals: Get-MsolServicePrincipalCredential -AppPrincipalId "Application ID of the Azure-Multifactor Auth Client"
You'll receive a list containing all Service Principals and their corresponding credentials, including StartDate and EndDate. It's crucial to remove the expired ones. To do this, use the following code: $clientId = "Application ID of the Azure-Multifactor Auth Client" $keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientId -ReturnKeyValues $false $dtNow = [System.DateTime]::Now foreach($key in $keys) { if($key.EndDate -lt $dtNow) { Remove-MsolServicePrincipalCredential -KeyIds @($key.KeyId) -AppPrincipalId $clientId write-host $key.KeyId " - Expired - Deleted" } else { write-host $key.KeyId " - OK" } }
You may need to rerun the AzureMfaNpsExtnConfigSetup.ps1 script to register the certificate.

I hope it helps :)

Johan Parlevliet 6 Reputation points

2024-07-25T09:47:49.05+00:00

Start-Transcript

# Connect to your Microsoft Tenant via PowerShell using the command

Connect-MsolService

# Input the following command to retrieve the associated Service Principals:

Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues $false | ft

# You'll receive a list containing all Service Principals and their corresponding credentials, including StartDate and EndDate. It's crucial to remove the expired ones. To do this, use the following code:

$clientId = "981f26a1-7f43-403b-a875-f8b09b8cd720"

$keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientId -ReturnKeyValues $false

$keys | ft

$dtNow = [System.DateTime]::Now

$dtnow

foreach ($key in $keys) { if($key.EndDate -lt $dtNow) {

Remove-MsolServicePrincipalCredential -KeyIds @($key.KeyId) -AppPrincipalId $clientId

write-host $key.KeyId " - Expired - Deleted" }

else {

write-host $key.KeyId " - OK" }

}

# Check again

$keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientId -ReturnKeyValues $false

$keys | ft

Stop-Transcript
Dvorak, David 70 Reputation points

2025-01-17T08:08:18.1566667+00:00

Hi Matthieu,
after long time we finally got around trying it. It worked!

After removing all expired credentials the status is now up to date again.

Thanks!

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Renewed Azure Multifactor Auth Client Certificate still showing expired in Enterprise Applications

1 additional answer

Your answer