Is it possible to update SAML token signing certificate via PowerShell in Azure AD?

New Contributor



We've 200+ SAML based apps federated with our Azure AD tenant. We are using a common cert for SAML token signing for all these apps. Cert is due for renewal by end of this year.


Does someone know if there's any way to update SAML token signing certificate via PowerShell instead of doing it on the portal which is a tedious task? I did google but couldn't find anything helpful.





8 Replies

@Gerald_Glen this is something we're actively working on now. We hope to have good news for you by the end of June.

Thanks @Luis Leon Plata , looking forward to hear it soon...


A dumb question but is this in a BYOK scenario for in the tenant? 

Hey @Gerald_Glen - We have you can manage your key credentials now using APIs. I think it also works for PowerShell but I haven't tried personally. Here is a doc on how to use the APIs:


I'm planning to do something similar but using PowerShell.




any new traction here? 

updating via powershell would be great. i'm actually more interested in reporting on the signing certificate and expiration dates so we can plan rotation with our 3 party vendors.


also to audit and make sure the notification address is our distro group.


I was able to accomplish this with the following:



(Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'").keyCredentials | Where-Object {$_.Usage -eq "Sign"} |select EndDate



Where $app_name is the name of your AAD app.