Enterprise Mobility and Security Blog

RSS

Howdy folks,

As part of our commitment to protecting customer data, we periodically roll the certificates in Azure AD. Our next certificate rollover is coming 5/23/2016. If you followed our development best practices, this should have no impact on your app.

But it’s always best to be sure! So Brandon Werner, one of the PM’s on our developer platform team has written a quick blog post below to help you make sure your app with keep working.

Best Regards,

Alex Simons (@Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

——————————

Howdy everyone,

It’s me, Brandon Werner, back with you again!.As part of our best practice of protecting customers data world wide, Azure Active Directory periodically rolls the certificates of the service. The Azure Active Directory authentication service will be performing a certificate rollover on 5/23. If you followed the development guidelines outlined below, you should experience no impact. We’ve included information below so you can review your applications and ensure they are following these best practices.

We do not expect any impact for:

         Any application which follows the best practices outlined here: https://msdn.microsoft.com/en-us/library/azure/dn641920.aspx

         Any application added from the Azure AD application gallery that has been configured to use SAML or WS-Federation. These applications follow separate rollover cycles and provide separate notifications.

There might be an impact to applications if:

The application takes a dependency on any of the endpoints listed below, but is not configured to automatically update the certificate from the metadata. Best practices on how to automatically update the certificate are outlined here: https://msdn.microsoft.com/en-us/library/azure/dn641920.aspx

Metadata Endpoints Updated

The following metadata endpoints have been updated to publish the new certificate:

         https://login.microsoftonline.com/{tenant}/FederationMetadata/2007-06/FederationMetadata.xml

         https://login.microsoftonline.com/{tenant}/discovery/keys

         https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys

         https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration

         https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

         https://login.windows.net/{tenant}/FederationMetadata/2007-06/FederationMetadata.xml

         https://login.windows.net/{tenant}/discovery/keys

         https://login.windows.net/{tenant}/.well-known/openid-configuration

Token Issuance Endpoints Affected

Tokens issued over the following endpoint will switch to using the new certificate only on 5/23:

         https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

         https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

         https://login.microsoftonline.com/{tenant}/oauth2/authorize

         https://login.microsoftonline.com/{tenant}/oauth2/token

         https://login.microsoftonline.com/{tenant}/wsfed

         https://login.microsoftonline.com/{tenant}/saml2

         https://login.windows.net/{tenant}/oauth2/authorize

         https://login.windows.net/{tenant}/oauth2/token

         https://login.windows.net/{tenant}/wsfed

         https://login.windows.net/{tenant}/saml2

 If you experience unusual behaviors, visit http://azure.microsoft.com/en-us/support/options/

 Thanks,

Brandon