This post is a follow-up from our previous announcement of the Azure Active Directory certificate rollover.
Continuing on our commitment to protect our customer’s data and building on the momentum of this August 15, 2016 rollover, we will be increasing the frequency with which we roll over Azure Active Directory’s global signing keys (previously referred to as “the Azure Active Directory certificates”).
What does the frequency increase mean for applications?
- For applications that support automatic rollover, this frequency increase will have no impact on your application.
- For applications that do not support automatic rollover you will have to establish a process to periodically monitor the keys and perform a manual rollover.
The next rollover, scheduled to start on October 10, 2016, is the last rollover we will be announcing.
Going forward, there will not be any announcements and we will only go through the usual steps of making new key available in the metadata and then gradually switching over using that new key. As outlined above, applications that support automatic rollover will seamlessly handle this while applications with the monitoring process will perform a manual rollover when the new key is available.
The guidance for assessing impact remains the same as that from our August rollover.
We do not expect any impact for:
- Applications that support automatic rollover as per our best practices
- Client applications
- Applications added from the Azure Active Directory App Gallery (including “Custom”)
- On-premises applications published via Application Proxy
- Applications in Azure Active Directory B2C tenants
Put simply, if your application was not impacted by the August rollover, it will not be impacted by the October rollover or any subsequent rollovers.
Application impact
The applications take a dependency on the signing key and are not configured to automatically update the key from the metadata. Follow the information below to assess the impact of the rollover to your applications and how to update them to handle the key rollover if necessary.
- Sign in to the Azure classic portal using an administrator account.
- Under the Active Directory tab, select your directory.
- Select Applications my company owns from the Show dropdown menu then click the checkmark at the right to apply the filter.
- Review each of the applications listed using the guidelines on the Signing key rollover in Azure Active Directory documentation and make the recommended changes if required.
If you experience unusual behaviors please contact Azure Support.