How do I fix a 'certificate credential lifetime' related error while adding a trusted certificate to an existing App Registration?

Question

How do I fix a 'certificate credential lifetime' related error while adding a trusted certificate to an existing App Registration?

Dhiren Vispute 0 Microsoft Employee

Greetings all,

I am trying to add a trusted certificate (not self-signed) to an existing Azure App Registration from the 'Microsoft Entra Admin Center' portal. The certificate is issued by a trusted CA (MS OneCert) and has a lifetime of 1 month. My intent is to use the certificate for non-interactive/automatic Azure Authentication from a Windows 'service' application.

The addition attempt consistently fails with this error:

"Failed to add certificate. Error detail: Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'."

CoPilot is unable to suggest a solution and recommends contacting support. The support page in turn needs a mandatory selection of a subscription and my subscription is not shown on the drop-down list even though I can manage my subscription just fine on the Azure Portal.

How do I go about adding the certificate to my App Registration?

Thanks!

DV

Pashikanti Kumar 1,640 Reputation points Microsoft External Staff Moderator

2025-11-20T19:29:42.4433333+00:00

Hi Dhiren Vispute,

Thank you for reaching out to Microsoft Q&A

The error "Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'" occurs because your Azure AD tenant or organization has a conditional access or security policy restricting the maximum allowed validity period for credentials added to an App Registration. This policy enforces a maximum certificate lifetime for security reasons.

Check your organization's credential lifetime policy

·         This policy controls the maximum allowed expiry for client secrets or certificates on App Registrations.

·         The error suggests your certificate's 1-month lifetime exceeds the max allowed by policy (which might be lower or require stricter limits).

Use a shorter validity certificate for the App Registration

·         Generate or request a certificate with a lifetime within the allowed limits.

·         Check the policy documentation or from your Microsoft Entra tenant administrator what max lifetime is allowed.

Policy adjustment request

·         If your scenario requires longer lifetimes (e.g., 1 month or more), request your Microsoft Entra tenant administrator or security compliance team to amend or exclude your app registration from this policy.

·         This typically requires Microsoft support involvement if you do not have admin rights.

Use PowerShell/Azure CLI for certificate addition bypassing UI limits Sometimes the UI enforces stricter constraints than backend: You can add a cert with a lifetime up to 2 years via the CLI:

Example with Azure CLI:

text

az ad app credential reset --id <appId> --cert @cert.pem --start-date <startDate> --end-date <endDate>
Dhiren Vispute 0 Reputation points Microsoft Employee

2025-11-20T19:45:00.97+00:00
Hi @Pashikanti Kumar

Thanks for the detailed response :-)

I did try using the command line but ran into the exact same error. Dumping the policy details (using 'az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy") shows a lifetime of 0 for certificate type credentials (potentially sensitive fields removed) for this specific policy:

"servicePrincipalRestrictions": {

"keyCredentials": [

{ "maxLifetime": "PT0S", "restrictionType": "asymmetricKeyLifetime", "state": "enabled" }

This is what is confusing me. My interpretation is that the 'PT0S' (seconds?) lifetime pretty much disables cert based auth. Is my interpretation correct?

In any case, how do I go about locating the right folks (with the requisite authority) to fix this? As mentioned earlier, I cannot file a support request from the Entra portal as my subscription is not shown in the drop down list.

Thanks!

/DV
Shubham Sharma 2,200 Reputation points Microsoft External Staff Moderator

2025-11-21T19:25:29.19+00:00

Hello Dhiren Vispute

Thank you for the response. we will check internally and get back to you shortly.
Dhiren Vispute 0 Reputation points Microsoft Employee

2025-11-21T22:39:04.6666667+00:00

Per an internal response, apparently this mechanism has been disabled going forward and the recommended option is to use 'SN + I' auth instead. Please consider this question as 'answered'.

Your answer

Pashikanti Kumar 1,640 Reputation points Microsoft External Staff Moderator

2025-11-20T19:29:42.4433333+00:00

Hi Dhiren Vispute,

Thank you for reaching out to Microsoft Q&A

The error "Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'" occurs because your Azure AD tenant or organization has a conditional access or security policy restricting the maximum allowed validity period for credentials added to an App Registration. This policy enforces a maximum certificate lifetime for security reasons.

Check your organization's credential lifetime policy

· This policy controls the maximum allowed expiry for client secrets or certificates on App Registrations.

· The error suggests your certificate's 1-month lifetime exceeds the max allowed by policy (which might be lower or require stricter limits).

Use a shorter validity certificate for the App Registration

· Generate or request a certificate with a lifetime within the allowed limits.

· Check the policy documentation or from your Microsoft Entra tenant administrator what max lifetime is allowed.

Policy adjustment request

· If your scenario requires longer lifetimes (e.g., 1 month or more), request your Microsoft Entra tenant administrator or security compliance team to amend or exclude your app registration from this policy.

· This typically requires Microsoft support involvement if you do not have admin rights.

Use PowerShell/Azure CLI for certificate addition bypassing UI limits Sometimes the UI enforces stricter constraints than backend: You can add a cert with a lifetime up to 2 years via the CLI:

Example with Azure CLI:

text

az ad app credential reset --id <appId> --cert @cert.pem --start-date <startDate> --end-date <endDate>
Dhiren Vispute 0 Reputation points Microsoft Employee

2025-11-20T19:45:00.97+00:00

Hi @Pashikanti Kumar

Thanks for the detailed response :-)

I did try using the command line but ran into the exact same error. Dumping the policy details (using 'az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/defaultAppManagementPolicy") shows a lifetime of 0 for certificate type credentials (potentially sensitive fields removed) for this specific policy:

"servicePrincipalRestrictions": {

"keyCredentials": [

{ "maxLifetime": "PT0S", "restrictionType": "asymmetricKeyLifetime", "state": "enabled" }

This is what is confusing me. My interpretation is that the 'PT0S' (seconds?) lifetime pretty much disables cert based auth. Is my interpretation correct?

In any case, how do I go about locating the right folks (with the requisite authority) to fix this? As mentioned earlier, I cannot file a support request from the Entra portal as my subscription is not shown in the drop down list.

Thanks!

/DV
Shubham Sharma 2,200 Reputation points Microsoft External Staff Moderator

2025-11-21T19:25:29.19+00:00

Hello Dhiren Vispute

Thank you for the response. we will check internally and get back to you shortly.
Dhiren Vispute 0 Reputation points Microsoft Employee

2025-11-21T22:39:04.6666667+00:00

Per an internal response, apparently this mechanism has been disabled going forward and the recommended option is to use 'SN + I' auth instead. Please consider this question as 'answered'.

Share via

How do I fix a 'certificate credential lifetime' related error while adding a trusted certificate to an existing App Registration?

Your answer