How to resolve error - AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.,

Question

Hi There,

I have been able to authenticate using a client secret. I am now trying to authenticate using a certificate.

I have generated a client_assertion.

When I try to authenticate, I'm getting the following error:

401;"{""error"":""invalid_client"",""error_description"":""AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '<removed>'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/<removed> Trace ID: <removed> Correlation ID: <removed Timestamp: 2025-05-29 20:00:25Z"",""error_codes"":[700027],""timestamp"":""2025-05-29 20:00:25Z"",""trace_id"":""<removed"",""correlation_id"":""<removed"",""error_uri"":""https://login.microsoftonline.com/error?code=700027""}"

Is there a method to quickly validate my client_assertion?

How can I confirm what part of the signature validation failed. What authentication parameters are missing?

Any help would be greatly appreciated.

Thanks,

Answer 1

I am also facing the same issue but now there is a setting that has disabled the upload of certs to entra apps. How to deal with this in this case?

Answer 2

Hello Missaghian, Nevenka,

The error "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. The key was not found" usually occurs if the certificate is not uploaded in the Microsoft Entra ID application.

I generated a certificate by using below commands:

openssl genrsa -out certificateprivate.key 2048

openssl req -new -key certificateprivate.key -out certificate.csr

openssl x509 -req -days 365 -in certificate.csr -signkey certificateprivate.key -out accesstokenwithcertificate.crt

openssl rsa -in certificateprivate.key -pubout -out certificatepublickey.pem

And the certificate is not stored in Windows Certificate Store:

$thumbprint = "Thumbprintofcert"

$cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq $thumbprint }

if ($null -eq $cert) {

    Write-Output "Certificate NOT found in CurrentUser\My store."

} else {

    Write-Output "Certificate found."

}

To resolve the error, make sure to upload the certificate in the Microsoft Entra ID application:

Generate Base64 Thumbprint:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Users\rukmini\accesstokenwithcertificate.crt")

$thumbprintBytes = $cert.GetCertHash()

# Convert to Base64Url (no padding, no + or /)

$base64UrlThumbprint = [System.Convert]::ToBase64String($thumbprintBytes) -replace '\+', '-' -replace '/', '_' -replace '='

Write-Output "Base64Url Thumbprint: $base64UrlThumbprint"

Now, use https://jwt.io/ to generate the client assertion:

HEADER:

{

  "alg": "RS256",

  "typ": "JWT",

  "x5t": "Passtheabovebase64UrlThumbprint"

}

PAYLOAD:DATA

{

  "aud": "https://login.microsoftonline.com/TenantID/oauth2/v2.0/token",

  "exp": xxx,

  "iss": "ApplicationClientId",

  "jti": "RandomUniqueIdentifier",

  "nbf": xxx,

  "sub": "ApplicationClientId"

}

VERIFY SIGNATURE:

{

 public key to a PEM format

 Private key to a PEM format

 }

I used below commands to get the values:

notepad certificateprivate.key

notepad certificatepublickey.pem

Now copy the token from the left side and pass it as client_assertion:

I am able to generate access token successfully:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id: ClientID

scope: https://graph.microsoft.com/.default

client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer

client_assertion: copyfromabove

grant_type: client_credentials

Note: Microsoft Entra ID requires RS256 and it does not support PS256 for client credentials flow (client_assertion JWTs).

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

Answer 3

Hello @Missaghian, Nevenka

Thanks for contacting MS Q&A. I will be able to help you with resolving your issues.

Key not found" is generated when a client who uses a cert needs to include the x5t property when getting a token. Kindly refer to the steps one of our colleagues mentioned in the Q&A posts below.

https://stackoverflow.com/questions/62716173/jwt-token-error-aadsts700027-client-assertion-contains-an-invalid-signature

https://learn.microsoft.com/en-us/answers/questions/882005/aadsts700027-client-assertion-failed-signature-val#:%7E:text=could%20cause%20the%20%22AADSTS700027%3A%20Client%20assertion%20contains%20an%20invalid%20signature

https://learn.microsoft.com/en-us/answers/questions/346048/how-to-get-access-token-from-client-certificate-ca#:%7E:text=Access%20token%20request%20with%20a%20certificate%20is%20a%20bit%20different%20from%20the%20normal%20Access%20token%20request%20with%20a%20shared%20secret%20flow%20(using%20AppId/Secret%20).%20To%20get%20an%20access%20token%20using%20a%20certificate%20you%20have%20to%3A

https://learn.microsoft.com/en-us/answers/questions/1192414/aadsts700027-the-certificate-with-identifier-used

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Siri