Share via

AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found

Ella Chan 40 Reputation points Microsoft Employee
2026-03-19T18:24:11.53+00:00

I assigned Key Vault admin role for service (app 1) in my Key Vault with managed Identity ID. I also add following in the mainfest of registered app 1, and I cannot upload the certificate in the app certificate and secrete due to security concerns and new policy. The subject Name is efficient for another certificate in other application without issue, which I upload certificate there and resolve the security later on. 

	"trustedCertificateSubjects": [
		{
			"authorityId": "00000000-0000-0000-0000-000000000001",
			"subjectName": "*****.registeredDomain",
			"revokedCertificateIdentifiers": []
		}
	]
Azure Key Vault
Azure Key Vault

An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-19T18:24:32.11+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application means Microsoft Entra ID cannot find the certificate (key credential) on the app registration that is being used to sign the client assertion (JWT).

    trustedCertificateSubjects in the application manifest does not register a certificate for client authentication. To use a certificate for app-only auth (client assertions), the certificate must be added to the app’s keyCredentials collection or uploaded via Certificates & secrets.

    To fix the error without relying on trustedCertificateSubjects:

    1. Compute the certificate values
      • From the X.509 certificate that is used to sign the client assertion, compute:
        • customKeyIdentifier = Base64-encoded thumbprint (hash) of the certificate.
        • key = Base64-encoded raw certificate data.
      • Generate a GUID for keyId.
    2. Register the certificate in the app manifest
      • In the Entra ID App registrations blade for app 1, open Manifest.
      • Replace or extend the keyCredentials property with an entry for the certificate, for example: 
             "keyCredentials": [
       {
         "customKeyIdentifier": "<base64Thumbprint>",
         "keyId": "<guid-key-id>",
         "type": "AsymmetricX509Cert",
         "usage": "Verify",
         "key": "<base64Value>"
       }
     ]
      • Save the manifest.
    3. Ensure the same certificate is used to sign the client assertion
      • The private key corresponding to the registered certificate must be used to sign the JWT (client_assertion).
      • When calling the token endpoint, send:
        • client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
        • client_assertion=<signed JWT>
    4. Retry the token request
      • After the certificate is correctly registered in keyCredentials and used to sign the assertion, the AADSTS700027 error should be resolved.

    Note: Assigning Key Vault roles or using managed identity on the Key Vault does not by itself register the certificate on the Entra app. The app registration must explicitly contain the certificate in keyCredentials (either via upload in Certificates & secrets or via manifest as shown above).

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.