Updating signing certificate causes interruption in Entra ID Custom Controls

Version Affected:  [All Versions]

Description:  

Conditional Access Custom Controls in Entra ID retruns below error after updating signing certificate.

Error code: AADSTS500276
Error message: AADSTS500276: Token presented by external identity provider has failed signature validation [Reason - The key was not found., Thumbprint of key used by client: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCXXXX', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '00000000-0000-0000-0000-000000000000'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/00000000-0000-0000-0000-000000000000']. Trace ID: 00000000-0000-1234-5678-123456789012 Correlation ID: 000000000-0000-1234-5678-123456789012 Timestamp: 2025-05-13 00:00:00Z

Cause:  

Entra ID potentially caches the response of JWKS endpoint from discovery URL to cache the token signing certificate, and tokens signed by new certificate fail at signature validation. If waiting for cached response to expire is not an option, follow the workaround provided below.

Workaround:

Update the discovery URL in Custom Control configuration. To do so:

1. Create a new Custom Controls realm in SecureAuth IDP or create an alias for existing realm and configure it with the new signing certificate.
2. Get the new realm/alias whitelisted in SecureAuth's Entra ID tenant. This will take effect immediately.
3. Create new custom control configuration in Entra ID to use the newly created realm/alias.
4. Create a new conditional access policy with the new Custom Control, assign the policy to a few test users.
5. Thoroughly test using test user accounts.
6. Once the testing is done, update all your Entra ID Conditional Access policies (that use custom control) to use the new custom control configuration.

Steps 1-5 can be performed in advanced and swtichover to the new custom control can be done during maintence window.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.