Share via

Clarification on Certificate Expiry and Renewal for Microsoft-Managed Domain used in mfa

Cuauhtemoc Guerrero 20 Reputation points
2024-11-12T20:10:49.4166667+00:00

This is for an enterprise application mfa.contoso.com | SAML-based Sign-on

We recently received an email notification with the following message:

"Please renew your application certificate in Contoso. You’re receiving this notification because your email address is associated with mfa.contoso.ca. The certificate used for single sign-on to mfa.contoso.com is going to expire in 29 days on November 29, 2024, at 8:30 UTC."

Upon investigation, it appears that this certificate is associated with a Microsoft-managed domain, as the URLs and configurations involved are outside our direct control. Here are the key details:

Our own certificate remains valid until April 2025. The only contoso domain referenced in this configuration is mfa.contoso.com, which is a CNAME for external.contoso.com, and this URL redirects to Microsoft’s domain: https://mysignins.microsoft.com/security-info.

We need clarification on the following points:

  • Does any action need to be taken by our team to update or renew this certificate?
  • If no action is needed, could you confirm any potential impacts on our users once the certificate expires?

Thank you for your assistance.

Microsoft Security | Microsoft Entra | Other
0 comments
Accepted answer
  1. Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
    2024-11-14T09:05:21.7266667+00:00

    Hello @Cuauhtemoc Guerrero ,

    Thank you for reaching out Microsoft Q&A.

    It appears you've received an email indicating that a certificate used for single sign-on (SSO) to mfa.contoso.com will expire in 29 days, on November 29, 2024, at 8:30 UTC, and this notification is associated with mfa.contoso.ca.

    Firstly, identify for which Application the Certificate is going to expire in your tenant so as you're saying it is for the enterprise application use the PowerShell command to identify which enterprise application certificate is going expire by following the link: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/scripts/powershell-export-all-enterprise-apps-secrets-and-certs

    If you see the details regarding the upcoming expiration of an enterprise application, you can generate the new certificate by following the link: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on#renew-a-certificate-that-is-set-to-expire-soon

    Additional if you want check with secrets and certificates for app registrations follow: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/scripts/powershell-export-all-app-registrations-secrets-and-certs

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Regards,
    Goutam Pratti.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cuauhtemoc Guerrero 20 Reputation points
    2024-11-15T18:46:39.4966667+00:00

    Sorry for the delay, it's been a busy week.
    I will look into your instructions, but what I am most interested to know is that this certificate that is going to expire is for a Microsoft domain, I there anything we need to do?
    User's image

    what is more intriguing is why we would get an email asking us to change a cert that is not from our main domain?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.