Blog Post

Microsoft Entra Blog
2 MIN READ

Hey #AzureAD App Devs! We’re going to roll our certs on 5/23

Alex Simons (AZURE)'s avatar
Sep 07, 2018
First published on CloudBlogs on May, 12 2016
Howdy folks, As part of our commitment to protecting customer data, we periodically roll the certificates in Azure AD. Our next certificate rollover is coming 5/23/2016. If you followed our development best practices, this should have no impact on your app. But it's always best to be sure! So Brandon Werner, one of the PM's on our developer platform team has written a quick blog post below to help you make sure your app with keep working. Best Regards, Alex Simons (@Alex_A_Simons) Director of Program Management Microsoft Identity Division ------------------------------

Howdy everyone,

It's me, Brandon Werner, back with you again!.As part of our best practice of protecting customers data world wide, Azure Active Directory periodically rolls the certificates of the service. The Azure Active Directory authentication service will be performing a certificate rollover on 5/23. If you followed the development guidelines outlined below, you should experience no impact. We've included information below so you can review your applications and ensure they are following these best practices.

We do not expect any impact for:

         Any application which follows the best practices outlined here: https://msdn.microsoft.com/en-us/library/azure/dn641920.aspx

         Any application added from the Azure AD application gallery that has been configured to use SAML or WS-Federation. These applications follow separate rollover cycles and provide separate notifications.

There might be an impact to applications if:

The application takes a dependency on any of the endpoints listed below, but is not configured to automatically update the certificate from the metadata. Best practices on how to automatically update the certificate are outlined here: https://msdn.microsoft.com/en-us/library/azure/dn641920.aspx

Metadata Endpoints Updated

The following metadata endpoints have been updated to publish the new certificate:

         https://login.microsoftonline.com/{tenant}/FederationMetadata/2007-06/FederationMetadata.xml

         https://login.microsoftonline.com/{tenant}/discovery/keys

         https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys

         https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration

         https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

         https://login.windows.net/{tenant}/FederationMetadata/2007-06/FederationMetadata.xml

         https://login.windows.net/{tenant}/discovery/keys

         https://login.windows.net/{tenant}/.well-known/openid-configuration

Token Issuance Endpoints Affected

Tokens issued over the following endpoint will switch to using the new certificate only on 5/23:

         https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

         https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

         https://login.microsoftonline.com/{tenant}/oauth2/authorize

         https://login.microsoftonline.com/{tenant}/oauth2/token

         https://login.microsoftonline.com/{tenant}/wsfed

         https://login.microsoftonline.com/{tenant}/saml2

         https://login.windows.net/{tenant}/oauth2/authorize

         https://login.windows.net/{tenant}/oauth2/token

         https://login.windows.net/{tenant}/wsfed

         https://login.windows.net/{tenant}/saml2

If you experience unusual behaviors, visit http://azure.microsoft.com/en-us/support/options/

Thanks,

Brandon

Published Sep 07, 2018
Version 1.0
No CommentsBe the first to comment