Enterprise app registration

LukeLo · October 27, 2025, 2:43pm

Why is it a problem if an enterprise app is registered with a certificate long validity (20 years for example)?

SanderBerkouwer · October 27, 2025, 3:56pm

There are a couple of issues with vendors and developers who ‘ secure’ the communications between their components and Microsoft Entra using certificates with long validity periods, like 20 years.

Recommended practices

Microsoft recommends using certificates over secrets towards Entra applications and recommends using a trusted certification authority (CA).

However, when using a CA that is a member of the Certification Authority/Browser (CA/B) Forum (which most publicly trusted CA are), you will find yourself bound to certificate validity periods of maximum 397 days. (which will be gradually shortened to 47 days in the coming years).

These are validity periods to follow, even though your in-house Certification Authority and self-signed certificates may allow longer validity periods. That way, you can minimize the following risks:

The risk of compromized certificates

The reasoning behind shorting certificate lifetimes is security. Longer validity periods mean encryption key pairs remain in use for longer period of times. If a key pair is compromized, adversaries can potentially use certificate authentication for the duration of the validity period, because Entra does not check the revocation status of a certificate.

It only takes one vulnerability in code, at the vendor (or one or more organizations in its supply chain) or in Entra to compromize a certificate. If it goes unnoticed, communications with Entra might be at risk for years to come.

Shorter validity periods and regularly refreshed certificates reduce this risk.

The risk of successful collision attacks

Typical certificates today also run the risk of collision attacks. This is especially true for certificates using RSA encryption and 2048bit keylength.

Referencing keylength.com, with several certificate keylength recommendations, recommends that certificates should already use 3072bit keylengths and that these keylengths should definitely increase over time to avoid collision attacks. A certificate with a 20-year validity period would definitely be at risk in the 2040s.

New certificates adhering to the future’s standards reduce this risk.

The risk of quantum computing

On the other hand, quantum computing might show even greater potential for compromizing certificate encryption. Post-quantum cryptography recommendations today already include getting rid of RSA-based certificates. Quantum breaking encryption may not be a viable strategy today, but it might certainly be in the 2040s.

New certificates adhering to the future’s standards reduce this risk.

The risk of non-adherence to policy

Entra’s application management policies allow admins to set maximum validity periods for certificates assigned to application registrations. However, the policy is only applied:

When the application registration is created
When the certificate is renewed

With a 20-year validity period, the chance of the application management policy for certificate lifetime is hit is zero. This might lead to a green dashboard light, while - in reality - the certificate might pose a significant risk.

Shorter validity periods and regularly refreshed certificates ensure that policies are adhered to.

Topic		Replies	Views
Parameters to identify high risk app registrations High Risk	1	222	June 24, 2024
What is the difference between Application Registration and Enterprise Application? Enterprise Applications	0	287	November 25, 2023
🌐 Welcome to the Entra ID Application Registration Corner! Application Registrations	1	261	December 22, 2023
🌐 Welcome to the Entra ID Enterprise Applications Corner! Enterprise Applications	0	119	December 23, 2023
🌐 Welcome to the Entra ID SaaS Applications Corner! SaaS Applications	0	108	January 5, 2024