| title | Application Management certificates frequently asked questions |
|---|---|
| description | Learn answers to frequently asked questions (FAQ) about managing certificates for apps using Microsoft Entra ID as an Identity Provider (IdP). |
| ms.topic | faq |
| ms.date | 05/21/2025 |
| ms.reviewer | sureshja, saumadan |
| ms.custom | enterprise-apps |
This page answers frequently asked questions about managing the certificates for apps using Microsoft Entra ID as an Identity Provider (IdP).
You can export all app registrations with expiring secrets, certificates, and their owners for the specified apps from your directory in a CSV file through PowerShell scripts.
You can find the steps here.
By default, Microsoft Entra ID configures a certificate to expire after three years after being created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you need to create a new certificate. For steps on how to do so, refer Customize the expiration date for your federation certificate and roll it over to a new certificate.
Note
The recommended way to create SAML applications is through the Microsoft Entra Application Gallery, which automatically creates a three-year valid X509 certificate for you.
Microsoft Entra ID sends an email notification 60, 30, and 7 days before the SAML certificate expires. You might add more than one email address to receive notifications.
Note
You can add up to five email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.
To specify the emails you want the notifications to be sent to, see Add email notification addresses for certificate expiration.
The option to edit or customize these email notifications received from [email protected] doesn't exist. However, you can export app registrations with expiring secrets and certificates through PowerShell scripts.
The owner of the application or Application Administrator can update the certificates through Microsoft Entra admin center UI, PowerShell, or Microsoft Graph.
In Microsoft Entra ID, you can set up certificate signing options and the certificate signing algorithm. To learn more, see Advanced SAML token certificate signing options for Microsoft Entra apps.
The recommendation for the SAML single sign-on certificate depends on your organization's security requirements and policies. If your organization has an internal certificate authority (PKI), using a certificate from the internal PKI can provide a higher level of security and trust. If you have an internal PKI, its certificates offer better security and trust because you control and monitor them.
If your organization doesn’t run its own certificate authority, get a certificate from a public certificate authority like DigiCert. Organizations trust these certificate authorities, and they follow strict security and validation rules to keep your apps secure.
I need to replace the certificate for Microsoft Entra application proxy applications and need more instructions
To replace certificates for Microsoft Entra application proxy applications, see PowerShell sample - Replace certificate in Application Proxy apps.
To configure an on-premises app to use a custom domain, you need a verified Microsoft Entra custom domain, a PFX certificate for the custom domain, and an on-premises app to configure. To learn more, see Custom domains in Microsoft Entra application proxy.
I need to update the token signing certificate on the application side. Where can I get it on Microsoft Entra ID side?
You can renew a SAML X.509 Certificate SAML Signing certificate.
You can find more details here.
To renew an application token encryption certificate, see How to renew a token encryption certificate for an enterprise application.
To renew an application token signing certificate, see How to renew a token signing certificate for an enterprise application.
To update Microsoft Entra ID after changing your federation certificates, see Renew federation certificates for Microsoft 365 and Microsoft Entra ID.
When it's the first time configuring SSO on an enterprise app, we do provide a default SAML certificate that is used across Microsoft Entra ID. However, if you need to use the same certificate across multiple apps that aren't the default Microsoft Entra ones, use an external Certificate Authority and upload the PFX file. The reason is that Microsoft Entra ID doesn't provide access to private keys from internally issued certificates.