Users cannot login if AAD certificate has been rotated and AOS has not been restarted recently


AOS loads AAD signing certificates during startup and doesn't refresh them afterwards. As a result, AOS stops trusting any authentication tokens when AAD switches to signing certificates that were not known when AOS started, and no users can login to AX.

This issue can be worked around by restarting all the AOS instances.


AOS binary update adds a process that regularly refreshes the list of trusted AAD certificates.

More information

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained here in is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.