![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 90%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello @MSG160-0831 ,
The certificate may change for multiple reasons. It may be expiry or revocation by the Certificate authority or it could be any other reason which we may not have a control on. I am not aware of any CA certificate list for root and intermediate CAs specific to our oAuth endpoint (login.microsoftonline.com or sts.windows.net) for the identity system. However I would recommend to add the CA certificate from the Microsoft Trusted Root Certificate Program . It provides a download of STL cabinet file containing a Trusted list . The list may have information on revoked certificates as well hence you may need to review it while importing on a machine to test more. You can download the same at https://aka.ms/CTLDownload . The list of trusted root participants is found online here and you can view and download the current list in either CSV/XML formats. In all probability Azure will always use issuer certificates from one of the Microsoft trusted root CA partners as listed on the page.
Whenever a certificate from this list is deprecated by the certification authority they inform Microsoft and we release the updated deployment notice on the trust program site. Office 365 also uses certificates from issuers in this list . They have a section in the Microsoft 365 documentation which explains about the different certificate providers that the Office 365 uses. You can download the certificate as a P7B root cert bundle from the linked page which is the most updated information on certificate used on Microsoft 365 side including but not limited to many other services like Microsoft Graph and Azure AD etc. Since the infrastructure is tied , you may find same certificate used for most endpoints if you check the subject alternative name on most of these services.
The lists I have mentioned above are updated regularly . I am not aware if there is any programmatic access to these which you can use to setup some kind of automation for your use case but the Common CA database can be used and the Microsoft Included CA certificate list page can be parsed using a http call and the CA certificate list could be generated on your side by downloading the CRT files listed on the page for trusted CAs. I hope the information provided would be sufficient for your use case. If the information provided is useful , please do accept the post as answer. In case you have any residual queries, please feel free to let us know and we will be happy to help further.
Thank you.