Skip to main content
Version: Angophra

Certificates

Menu path: Observe → Application Governance → Certificates
URL: /en/insights/dashboard/appGov/certificates

Purpose

The Certificate Management page tracks all certificates used by application registrations and enterprise applications in your Entra ID tenants. Certificates are one of two credential types used by applications to authenticate to Entra ID (the other being client secrets). They are generally considered more secure than client secrets but require active lifecycle management - certificates have expiry dates and must be renewed before they expire.

An expired certificate on an actively-used application causes an authentication failure - the application stops working. The goal of this page is to give you advance warning of upcoming certificate expirations so you can plan renewals proactively, and to surface certificates that have already expired (indicating either an application outage has occurred, or an unused application with credentials that should be cleaned up).

The page has default filters applied (Expiry Status: Healthy +3, Parent Resource Type: Application) to help focus on the most relevant view.

Observation Cards

Total Certificates

What it means: The total count of certificates across your application estate matching the current filter criteria.

Critical: Expiring in 15 Days

What it means: Certificates on actively-used applications that will expire within 15 days and require immediate renewal action.

Why it matters: 15 days is the critical threshold. At this point, planning and scheduling a renewal is urgent - the window to complete the renewal before the expiry is very tight, especially if change management processes are involved.

Expiring Within 90 Days

What it means: Certificates approaching expiry with 90 days or less remaining. This is the planning horizon - certificate renewals should be initiated when they enter this window.

Why it matters: 90 days gives you comfortable time to plan and execute a certificate renewal with proper testing and change management. Certificates approaching this threshold should have a renewal task created and assigned.

Active & Expiring (90d)

What it means: A subset of the 90-day expiry group - specifically those on applications with recent sign-in activity. These are the highest-priority renewals because expiry will cause an active service outage.

Why it matters: An expiring certificate on an inactive application is a hygiene issue. An expiring certificate on an actively-used application is an operational emergency. This KPI filters to the critical subset.

Charts

Certificate Lifecycle Compliance

Chart type: add example --> Time-series chart
What it shows: Whether new certificates being issued are within your organisation's acceptable lifetime policies (e.g., maximum 1-year certificate lifetimes, as per Microsoft's recommendation).

Why it matters: Some organisations (or compliance frameworks) prohibit certificates with very long lifetimes because they represent credentials that go a long time without rotation. If certificates are being issued with 2, 3, or 5-year lifetimes, they will eventually appear in "stale" and "approaching expiry" reports. Establishing a maximum certificate lifetime policy and enforcing it at the point of issuance prevents future compliance issues.

Upcoming Certificate Expirations

Chart type: add example --> Timeline/bar chart
What it shows: When certificates are due to expire, plotted over the coming months. Allows you to see whether expirations are clustered in a particular period.

Why it matters: A cluster of certificate expirations in a single month could create a crunch period where many renewals need to happen simultaneously. This chart allows you to plan resource allocation for renewals in advance.

The Certificates Table

The table lists all certificates with the following columns:

  • Application - The application this certificate belongs to
  • Name - The certificate name/subject
  • Days Until Expiry - How many days until expiry (negative = already expired)
  • End Date - The actual expiry date
  • Last Activity - When the owning application was last used
  • Urgency - Expired, Expiring 90d, Healthy
  • Is Active - Whether the owning application has recent activity (is being used)
  • Exceeds Max Lifetime - Whether the certificate was issued with a lifetime exceeding your policy maximum
  • Renew - A direct action link to initiate renewal

Using the table

Filter by "Is Active" = Yes to focus only on certificates belonging to applications that are currently in use. Sort by "Days Until Expiry" ascending to see the most urgent certificates first. Use the "Urgency" filter to quickly find all "Expired" certificates for cleanup and all "Expiring 90d" certificates for renewal planning. The "Exceeds Max Lifetime" filter helps identify certificates that were issued with an overly long lifetime for remediation.