Azure AD token-signing certificate roll over

Last week Microsoft has send an email that on august 15th 2016 the Azure AD token-signing certificate would roll over and that I had some applications that is using this token-signing certificates. The list of applications contains all of them, this was not very useful.

Luckily there is a short step-by-step instruction with a link to a complete manual (

Because I manage a few Azure Active directories like many developers, this was going to give me some work.

While looking at the manual there was one nice line that not everything was affected by this roll over. Every application that is added from the Azure AD gallery, on-premises applications published via application proxy, applications in Azure AD B2C tenants, applications integrating with ACS or ADFS are not affected because they support auto certificate roll over J.

I found that I have implemented all my application with the necessary code to use the auto roll over and I did not have to make any changes in my code or configuration. That made me happy, it only costed me some time to check. To make sure all your applications will keep working, Microsoft created validation Cmdlets that is available on GitHub to check your application.

What I did find is that there where application in there I did not know. Two posts back (Start and Stop Azure VM with Azure Automation) I created an automation account, it turns out that this is also an application for Azure AD.

I also took the time to check if application where in the Active directory that where not in use anymore and cleaned it up.