Rotate an Office 365 signing certificate

Learn how to generate, update, and activate app-level signing certificates for Office 365 integrations.

SAML assertions sent from Okta to Office 365 are cryptographically signed using a signing certificate. If your active signing certificate expires, Microsoft rejects all SAML assertions, which blocks user access to Office 365 apps. To avoid service disruptions, ensure that you rotate your signing certificate before it expires, which involves generating and using a new certificate.

Office 365 app integrations created from version 2026.08.0 onward use app-level signing certificates. These certificates are limited in scope to the integration that they're created for, and are valid for 10 years.

Office 365 app integrations created before 2026.08.0 were configured to use org-level signing certificates, many of which are scheduled to expire in early 2027. To avoid service disruptions, you must update your Office 365 integration to use app-level certificates by completing the appropriate certificate rotation task for your app integration.

Table 1. Certificate rotation task by WS-Federation configuration mode
SSO configuration mode Task
WS-Federation Automatic Rotate an Office 365 signing certificate for WS-Federation Automatic
WS-Federation Manual using PowerShell Rotate an Office 365 signing certificate for WS-Federation Manual using PowerShell