Entra ID Application Policies: Beware the Impact on SAML Signing Certificates

Microsoft just made a long-requested improvement: you can now manage application policies for Entra ID applications directly in the portal. Things like certificate and secret age restrictions - previously the domain of the Graph API only - are now exposed in a friendly UI as seen here in many of wonderful blog posts.

That’s good news. But before you start tightening lifespans on certificates, let me share a gotcha I haven’t seen mentioned anywhere else yet.

The Error You’ll See

When you set a shorter certificate lifetime (less than three years), SAML applications no longer automatically create signing certificates. Instead, you’ll see this error when saving the SSO config:

“Single sign-on configuration was saved successfully, but there was an issue creating the signing certificate. Please try creating it manually in SAML signing certificate.”

At first glance, it looks like a cert exists. In the app’s SAML Certificates blade, you’ll see an active token signing certificate with a five-year expiration - longer than the typical three years:

But if you download it, you’ll notice it’s not the Azure Federation SSO Signing Certificate. And if you check the IdP metadata? There’s no signing cert at all.

No signing certificate - there should be token signing certificate node before the claims:

With a signing certificate:

Why This Matters

This can trip up admins because:

• The portal UI suggests a cert is present.

• The error message points you toward manual creation, but doesn’t explain why auto-creation failed.

• Unless you check the metadata, you may assume the app is ready to go - only to hit issues when your SAML integration tries to validate signatures.

What To Do

1. Know the trigger: This only happens when you restrict certificate lifetimes under three years.

2. Be prepared: You’ll need to create the signing certificate manually in these cases.

3. Don’t panic: This isn’t a reason to avoid application policies altogether. It’s just one of those “know before you deploy” details that could save hours of head-scratching later.

Takeaway

Application policies are a welcome addition to Entra ID, and they bring long-needed governance into the portal. Just be aware: when you shorten certificate lifespans, SAML apps won’t automatically generate signing certs anymore. If you don’t catch that, you’ll be left with an app that looks healthy in the portal but is broken in practice.