![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 39%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello Nick Andres,
As discussed offline, this is not supported in Microsoft Entra ID.
For application and service principal authentication, App Registrations only trust certificates that are explicitly added to the app and matched by their thumbprints. Trust based on Subject Name and Issuer is not available for applications.
There is no portal setting, Microsoft Graph API parameter, tenant policy, or CORP-specific feature to enable this.
When a certificate renews, the thumbprint changes, even if the Subject and Issuer stay the same. Because of this, authentication will fail until the new certificate is added to the App Registration. This is expected behavior.
The supported approach is to automate certificate renewal and update the App Registration when the new certificate is issued, ideally keeping overlapping certificates to avoid downtime. If the workload runs in Azure, Managed Identity can also be considered to remove certificate management.
In short, App Registrations only support thumbprint-based certificate trust, and subject/issuer-based trust is not available today.
Hope this helps! Feel free to reach out for further queries.