How to troubleshoot issue with Entra application certificate update

When a managed Microsoft 365 tenant is added to Cayosoft Guardian using Entra application, Cayosoft Guardian creates an application in the tenant and uses a certificate for authentication. Cayosoft Guardian is expected to rotate this certificate automatically when it is nearing expiration.

In some scenarios, the Health Check job reports that the certificate was rotated, however the certificate is not actually updated, causing Cayosoft Guardian to lose access to the tenant once the certificate expires.

NOTE: Cayosoft Guardian version 7.1 includes improvements to Entra application authentication and certificate rotation logic. If you are running an earlier version, Cayosoft strongly recommends upgrading to version 7.1 or later before applying the manual workaround described in this article.

Symptoms

• Health Check runs successfully but does not actually rotate the certificate.
• Cayosoft Guardian can no longer collect data from the tenant after the certificate expires.
• Health Check job displays messages similar to:
  • The credentials are assigned to Managed Tenant <tenant name>.
  • Authentication certificate is expired.
  • Failed to connect to https://graph.microsoft.com… No connection could be made because the target machine actively refused it.
• The Managed Tenant component shows Health Check failures related to authentication.

Root cause

Cayosoft Guardian attempts to rotate Entra application certificates during the Health Check job. In some configurations, the rotation logic executes but does not apply the new certificate to the tenant application, even though Health Check logs indicate that rotation occurred.

As a result:

• The old certificate remains active.
• When it expires, Guardian loses access to the tenant.
• Subsequent Health Check runs may still report that the certificate was rotated.

Impact

• Guardian cannot authenticate to the managed tenant.
• Microsoft Graph data collection fails.
• Threat Detection ingestion and other tenant-related jobs may fail.
• The tenant appears unhealthy in Health Check until credentials are renewed.

Resolution

In case the certificate has not expired yet, update the certificate with the 'Renew service principal credentials' action:

1. Open the affected Managed tenant in Cayosoft Guardian.
2. Open the Credentials tab and double-click Account name.

3. Click Renew service principal credentials.

   

4. In the confirmation dialog, set the Certificate rotation period (days) as needed.

5. Click Update.

   TIP: This action forces regeneration of a new certificate, updates the Entra App Registration, and restores Cayosoft Guardian’s ability to authenticate and collect data.

   

6. To reduce the risk of future expiration issues, configure an appropriate rotation period. Cayosoft Guardian will schedule the next certificate rotation based on this value.
7. Run Check Health for the tenant.
8. Open the Health check history tab.
9. Confirm that:
   • The new certificate is shown as applied.
   • No authentication failures are reported.

Allow several minutes for Entra propagation before reviewing the results.

If the certificate has already expired or the Renew service principal credentials action is failing:

1. Click Grant Access.

2. Then click Grant. Enter credentials of an Entra Global Administrator.

   

3. Click Save.

Contact support

Contact support in case:

1. The certificate does not update even after manual renewal.
2. Health Check reports successful rotation, but the Entra App Registration certificate remains unchanged.
3. Tenant authentication continues to fail despite valid Entra application credentials.