Hero Banner

Azure Discussions

Discuss best practices related to AI, IoT, Server Migration, Data Migration.

Visitor 1

Azure AD Connect certificate issued by Microsoft PolicyKeyService CA


We just got a certificate lifespan alert via SCOM. Certificate issued by Microsoft PolicyKeyService Certificate Authority seems to be expiring soon on a server where Azure AD Connect is configured. This certificate seems to be linked to Azure AD Connect Health Monitoring services, am I right? There are two certificates on that server issued by that same certificate authority, and it seems like this certificate have been renewed automatically. Please, see attached screenshot.

So, my question is that does this certificate require any manual steps to renew it or is everything taken care of automatically? Is there any way to verify that everything will be working normally after the expiration date has passed?

Thank you!

Kind regards,


The actual connector trust will be renewed regularly meaning a new client cert will be generated. Because the connector is running under Network Service, it will be saved under Network Service’s Personal Store. However those old certs are not removed automatically. 

Any cert issued by the service for the AAD Connect / Connect Health Service will be auto-renewed when needed. 

Visitor 1

We have a similar problem where a SCOM monitor is alerting because the certificate's trust chain is not complete. Can we get ahold of the whole trust chain? I guess it's possible to remove the certificate since we don't use Azure AD Connect Health Monitoring, but I'm pretty sure that will bite back eventually if we update AAD Connect or start to use AAD Connect Health Monitoring in the future.


Alert description: The certificate is not valid. Reason:
PartialChain: A certificate chain could not be built to a trusted root authority.

Certificate Subject: CN=<Server name>, CN=<CN>, OU=Microsoft ADFS Agent
Certificate Issuer: CN=Microsoft PolicyKeyService Certificate Authority
Serial number: <Serial number>
Store Name: Personal

Store Key: My
Store Provider: SystemRegistry
Store Type: LocalMachine

Chain Details:
--- Certificate Status ---
PartialChain: A certificate chain could not be built to a trusted root authority.