PowerShell security certificate management is a necessary tool for all enterprise setups that use Hybrid Azure AD. These certificates keep track of device registration and data synchronization.
Because of this, expired certificates can cause several issues. It may break device syncing, cause authentication failures, make hybrid workloads inaccessible, or reject or delay token issuance.
Different features you can use to manage expired certificates in Azure AD
There are different ways you can manage expired certificates in Azure AD. You can view the certificates of all your managed devices, renew certificates for Azure AD Connect or AD FS, and remove expired certificates.
You can also use the Windows Registry to validate certificate dependencies, GPOs to manage certificate auto-enrollment in all your managed devices, or CMD for certificate and sync troubleshooting.
📌 Prerequisites:
- You will need access to the server where Azure AD or AD FS is installed.
- You will need administrator privileges for both your local server and the Azure AD server.
- You need to have the following modules installed in Windows PowerShell:
- AzureAD
- MSOnline
- AD FS
- Hybrid Agent
- You should have access to the Certificate MMC snap-in and PowerShell.
- It’s recommended to have a trusted root and enterprise certificate authentication if you’re issuing the certificates manually.
📌 Recommended deployment strategies:
Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Identify expired certificates via PowerShell | ✓ | |
| Renew certificates for Azure AD Connect | ✓ | |
| Renew certificates for AD FS (if used) | ✓ | |
| Remove expired certificates | ✓ | |
| Use the Registry to validate or trace certificate dependencies | ✓ | |
| Use Group Policy to manage certificate auto-enrollment | ✓ | |
| Use CMD for certificate and sync troubleshooting | ✓ |
Identify expired certificates via PowerShell
This is used for AD FS and Azure AD Connect services. It will list all local machine certificates and their expiration dates.
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- Type this and press Enter:
| Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.NotAfter -lt (Get-Date) } | Select Subject, Thumbprint, NotAfter List Azure AD application certificates: Connect-AzureAD Get-AzureADApplication | ForEach-Object { Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId | Where-Object { $_.EndDate -lt (Get-Date) } } Check service principal credentials: Get-AzureADServicePrincipal | ForEach-Object { Get-AzureADServicePrincipalKeyCredential -ObjectId $_.ObjectId | Where-Object { $_.EndDate -lt (Get-Date) } } |
Renew certificates for Azure AD Connect
- Log in to your organization’s Azure AD server.
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- Type Start-ADSyncSyncCycle -PolicyType Initial and press Enter. This will trigger a full (initial) synchronization, meaning your system will read and reapply all sync rules and data.
Now, you can renew the certificates of your managed devices.
If you’re using the Azure AD GUI:
- Open Azure AD Connect.
- Click Configure > Manage Certificates.
- Select Renew Certificates.
- Follow the prompts and verify the sync.
If you’re using Windows PowerShell:
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- Type this command and press Enter:
| $cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -like “*yourdomain.com*” -and $_.NotAfter -gt (Get-Date) } Set-ADSyncCertificate -Thumbprint $cert.Thumbprint |
Change “yourdomain.com” to your domain.
💡 Note: You may need to write a custom script for this, depending on your custom configuration. Alternatively, you can renew the certificates using the Azure AD GUI.
Renew certificates for AD FS (if used)
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- To export and bind a new certificate, type this and press Enter:
| Set-AdfsSslCertificate -Thumbprint ‘NEW_CERT_THUMBPRINT’ Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint ‘NEW_CERT_THUMBPRINT’ Update token-signing and decrypting certificates: Update-AdfsCertificate -CertificateType Token-Signing Update-AdfsCertificate -CertificateType Token-Decrypting |
- Force your configuration to reload by typing Restart-Service adfssrv and pressing Enter.
- To verify that the certificates have been renewed, type the following commands:
Get-AdfsSslCertificate
Get-AdfsCertificate
Remove expired certificates
- Open the Start Menu and search for Windows PowerShell.
- Right-click Windows PowerShell > Run as administrator.
- To remove the expired certificates from the local machine, type this command and press Enter:
| Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.NotAfter -lt (Get-Date) } | Remove-Item |
To remove the expired certificates from the Azure AD app, type this and press Enter:
| $expiredCerts = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId | Where-Object { $_.EndDate -lt (Get-Date) } foreach ($cert in $expiredCerts) { Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cert.KeyId } |
Use the Registry to validate or trace certificate dependencies
You can use the Windows Registry to correlate certificates with specific services and track if there are certificates that need renewing.
- Open the Start Menu and search for Registry Editor to open the program.
- Navigate to the address of the services you want to verify. For example, if you want to validate if the certificate in the AD FS/Hybrid trace is bound properly, navigate to this address:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADFS\Parameters
- The CertificateHash string should have the “THUMBPRINT” value.
- Or, if you want to verify Azure AD Connect service account cert mapping, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADSync.
- The CertificateHash string should have the “THUMBPRINT” value.
These are example situations. The specific path and string will vary depending on your specific situation.
Use Group Policy to manage certificate auto-enrollment
You can use this to push renewed certificates to hybrid devices and servers automatically.
- Open the Start Menu and search for Edit Group Policy to open the program.
- Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
- Double-click Certificate Services Client – Certificate Enrollment Policy.
- Set it to Enabled.
- Locate the expired certificates and renew them.
- Update the certificates that use the certificates template.
- Click OK > Apply.
Use CMD for certificate and sync troubleshooting
You can use these commands during certificate troubleshooting or after configuration changes.
- Open the Start Menu and search for Command Prompt.
- Right-click Command Prompt > Run as administrator.
- To check the sync health of Azure AD Connect, type sc query ADSync and press Enter.
- To check the installed certificates, type certutil -store my and press Enter.
- To force a GPO update and a certificate policy refresh, type this and press Enter:
gpupdate /force
certutil -pulse
⚠️ Troubleshooting/Things to look out for
| Issue/Risk | Potential Consequences | Fix/Reversals |
| The sync fails after renewal. | The certificate will not be updated. | Restart the sync service using Windows PowerShell and verify your connector configuration. |
| You experience Azure login errors. | You will not be able to log in. | Confirm that certificates are properly bound using the Windows Registry. |
| You’re told that the federation data is incorrect or incomplete. | You will not be able to access different services on different platforms using your existing credentials. | Confirm AD FS certificates are correctly set with Set-AdfsSslCertificate using Windows PowerShell. |
| You experience the “Permission Denied” error. | You will not be able to do your tasks. | Make sure that the account you’re using to manage keys and services is correct. |
Additional considerations when managing expired certificates in hybrid Azure AD
- Always verify that the new certificates are trusted by Azure AD and all your local servers before implementing them.
- Schedule alerts using Windows PowerShell or NinjaOne to tell you when certificates are about to expire.
- For MSPs working with multiple tenants, make sure that all your hybrid servers are registered to the appropriate client application.
- Always export and store your certificates in a secure location before replacing or deleting them.
NinjaOne services
NinjaOne can assist IT administrators in strengthening hybrid certificate management through:
- Automated scripting – PowerShell scripts can be deployed to scan for expired certificates and renew them automatically.
- Alerting and monitoring – Administrators can set up an alert to remind them when certificates are about to expire.
- Registry key validation – You can pull registry data to track the certificate binding status of your hybrid agents.
- Service verification – Administrators can generate reports on the service health of AD FS or Azure AD Connect and set them to focus on certificate issues.
- Centralized dashboard – You can monitor hybrid identity certificates across all your client environments.
Manage local machine certificates in hybrid Azure AD
It’s critical to properly manage certificates in a hybrid Azure AD setup and ensure that all certificates are kept up-to-date. This will ensure uninterrupted authentication, directory synchronization, and secure application communication.
Related topics:
