This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 0%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
Hi!
I am working at the moment to get the token using POST login.microsoftonline.com:443/{tenantID}/oauth2/v2.0/token.
I am able to create a client_assertion, but I am getting this error with the API call:
{ "error": "invalid_client", "error_description": "AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '8b76b6d9-4732-4558-a4b5-40d5ff2ed6ef'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as '[https://graph.microsoft.com/beta/applications/8b76b6d9-4732-4558-a4b5-40d5ff2ed6ef']]. Trace ID: 40dccc8c-276d-4927-b6e0-583bf24f9000 Correlation ID: 55f49a48-adab-4470-b42d-f100f63bc15d Timestamp: 2026-06-09 14:01:21Z", "error_codes": [ 700027 ], "timestamp": "2026-06-09 14:01:21Z", "trace_id": "40dccc8c-276d-4927-b6e0-583bf24f9000", "correlation_id": "55f49a48-adab-4470-b42d-f100f63bc15d", "error_uri": "https://login.microsoftonline.com/error?code=700027" }
The thumbprint is correct, because otherwise I get a similar error but with the line "Thumbprint of key used by client" in the error as well. The certificate is still valid, and is available in the app registration.
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Apparently I encoded the thumbprint base64 for the jwt-header, but it had to be encoded: Base64url-encoded SHA-256 thumbprint of the X.509 certificate's DER encoding
That fixed it.
AI answer
The error AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.] means the Microsoft identity platform cannot find a public key on the app registration that matches the certificate used to sign the client_assertion.
For a successful client credentials flow with a certificate, the following must all be true:
client_id is used in the token request.client_assertion must be a JWT signed with the private key corresponding to that uploaded certificate.Given that the thumbprint is correct and the certificate is valid and visible in the app registration, focus on these checks:
client_id in the token request is exactly the same app registration where the certificate is configured.{tenantID} in the token endpoint matches the tenant where that app registration lives.client_assertion is among them.client_assertion construction
grant_type=client_credentialsclient_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearerclient_assertion=<JWT signed with the app’s certificate>client_secret in this request; for certificate auth it is replaced by client_assertion_type and client_assertion.alg=RS256 and a kid that corresponds to the uploaded certificate, if set).scope parameter is the resource identifier suffixed with /.default (for example, https://graph.microsoft.com/.default), as required by the client credentials flow.Once the app registration has the correct certificate credential and the client_assertion is signed with the matching private key, the AADSTS700027 error should stop and the token request will succeed.
References: