Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,187 questions
How to use SHA256 instead of SHA1 for Azure App Registration Thumbprint?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 26%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Alexander Kuppek
1
Reputation point
When using a X.509 Certificate for authenticate an Azure App Registration, SHA1 thumbprint needs to be used. But in the documentation on how to generate the assertion it says x5t header needs to use SHA256:
https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials#assertion-format
So when using a Base64 encoded SHA256 thumbprint authentication is not working an throws following error:
AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.
When using SHA1 thumbprint it works.
I also noticed the documentation for x5t header was adjusted a few month ago where SHA1 was changed to SHA256:
https://github.com/MicrosoftDocs/entra-docs/commit/f46b30295d2ec10db0f9462349812de366b3ab18
I think it should be clearly mentioned in the documentation that for some assertions SHA1 still needs to be used!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sakshi Devkante 2,905 Reputation points Microsoft External Staff2025-04-08T12:29:54.1866667+00:00 Hello @Alexander Kuppek
Can you confirm if you are using the same SHA256 certificate uploaded on application side as well when you are testing?
The documentation you referenced updated the
x5t(certificate thumbprint) header to use SHA256 for hashing, aligning with modern security standards, given that SHA1 is considered weak and deprecated. As you discovered, SHA1 thumbprints still work in practice for many authentication scenarios, particularly in App Registrations. It looks like for now, using the SHA1 thumbprint remains the working solution.If SHA256 is required for your specific use case then did you refer to the steps mentioned by one of our colleagues on the below Q&A posts, he has shared the PowerShell script about the same. This is based on the error "Key was not found" is generated when client who uses cert needs to include x5t property when getting a token.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 17%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Venkata Jagadeep 1,005 Reputation points Microsoft External Staff2025-04-09T10:35:04.9733333+00:00 Hello Alexander Kuppek,
Did you get a chance to review the inputs provided by Sakshi in the previous comment.
Please let me know if you have any questions.
-
Venkata Jagadeep 1,005 Reputation points Microsoft External Staff
2025-04-11T11:31:54.2566667+00:00 Hello Alexander Kuppek,
Just to followup on this thread, let us know if you get the additional information for your query? Please let me know if you have any additional queries.
Sign in to comment
Sign in to answer