servicePrincipal: addTokenSigningCertificate

Namespace: microsoft.graph

Create a self-signed signing certificate and return a selfSignedCertificate object, which is the public part of the generated certificate.

The self-signed signing certificate is composed of the following objects, which are added to the servicePrincipal:

  • The keyCredentials object with the following objects:
    • A private key object with usage set to Sign.
    • A public key object with usage set to Verify.
  • The passwordCredentials object.

All the objects have the same value of customKeyIdentifier.

The passwordCredential is used to open the PFX file (private key). It and the associated private key object have the same value of keyId. When set during creation through the displayName property, the subject of the certificate cannot be updated. The startDateTime is set to the same time the certificate is created using the action. The endDateTime can be up to three years after the certificate is created.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet


Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Application.ReadWrite.All Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported. Not supported.
Application Application.ReadWrite.OwnedBy Application.ReadWrite.All, Directory.ReadWrite.All

HTTP request

You can address the service principal using either its id or appId. id and appId are referred to as the Object ID and Application (Client) ID, respectively, in app registrations in the Microsoft Entra admin center.

POST /servicePrincipals/{id}/addTokenSigningCertificate
POST /servicePrincipals(appId='{appId}')/addTokenSigningCertificate

Request body

In the request body, provide the following required properties.

Property Type Description
displayName string Friendly name for the key. It must start with CN=.
endDateTime DateTimeOffset The date and time when the credential expires. It can be up to 3 years from the date the certificate is created. If not supplied, the default is three years from the time of creation. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.


If successful, this method returns a 200 OK response code and a new selfSignedCertificate object in the response body.



The following example shows a request.

Content-type: application/json



The following example shows the response.

HTTP/1.1 200 OK
Content-Type: application/json

  "@odata.context": "$metadata#microsoft.graph.selfSignedCertificate",
  "customKeyIdentifier": "2iD8ppbE+D6Kmu1ZvjM2jtQh88E=",
  "displayName": "CN=customDisplayName",
  "endDateTime": "2024-01-25T00:00:00Z",
  "key": "MIICuDCCAaCgAwIBAgIIYXJsNtL4oUMwDQYJKoZIhvcNAQEL...StP8s/w==",
  "keyId": "93bc223f-7235-4b9c-beea-d66847531c49",
  "startDateTime": "2021-05-05T18:38:51.8100763Z",
  "thumbprint": "DA20FCA696C4F83E8A9AED59BE33368ED421F3C1",
  "type": "AsymmetricX509Cert",
  "usage": "Verify"