Microsoft 365 login issue

Hello @Ciaran Carey, 

I hope you're doing well. 

Based on my research, the error "AADSTS501209: JWT signature is invalid (key expired) " usually indicates that the JWT token is signed using an expired key (certificate or client secret) configured on the Microsoft Entra ID (Azure AD) app registration. 

Once the signing key reaches its End date, Microsoft Entra ID will no longer accept tokens signed with it, resulting in the JWT signature validation failure. 

To troubleshoot and resolve, you can try these steps: 

1. Find your IT admin/Microsoft 365 admin to assist with this kind of issue.  

If you haven’t yet reached out, here’s a helpful guide to locate your Microsoft 365 administrator: How do I find my Microsoft 365 admin? - Microsoft Support  

2.Check credentials in the Azure Portal 

• Sign in to Microsoft Entra ID at https://entra.microsoft.com using an administrator account. 
• Navigate to Microsoft Entra ID > App registrations > All applications. 
• Paste the Application (client) ID into the search box, or locate it directly in the Application (client) ID column. 

• Click on the app's Display name. 
• Navigate to Certificates & secrets.  
• Check and verify whether any credential has an End date in the past or matching the date shown in the error: 
  • Certificates under Certificates 
  • Client secrets under Client secrets 

3. Rotate the expired credential (required) 

If using a certificate 

• Upload a new certificate 
• Ensure the new certificate has a valid future expiration date 
• Update the application/service to use the new certificate 

If using a client secret 

• Create a new client secret 

• Copy the secret value immediately 
• Update the application configuration with the new secret 

The expired credential cannot be reused once its end date has passed. 

4. (Optional) Verify via Microsoft Graph 

You can also inspect configured credentials using Microsoft Graph using the instructions:  

• Get application - Microsoft Graph v1.0 | Microsoft Learn 
• Microsoft Graph national cloud deployments - Microsoft Graph | Microsoft Learn 

Review: 

• keyCredentials > certificates 
• passwordCredentials > client secrets 
• Check the endDateTime values for expiration. 

Note: Ensure you are using the correct Graph endpoint if the tenant is in a national cloud (GCC, Germany, China, etc.). 

Once the credential is renewed and the application updated, authentication should succeed. 

Please let me know if the issue persists. I'll be happy to assist further. 

Please understand that our forum is a public platform, and we will modify your question to cover your personal information including your Request Id, Correlation Id in the description. Your personal data will be stored in our private messages and will automatically be deleted after 30 days.

Please notice to hide these personal or organization information next time you post error or some information to protect personal data.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

The error indicates that the signing key used for the JWT has expired, so authentication to Microsoft 365 is failing. This is a token/signing certificate/key expiration issue on the identity side, not something that can be fixed from the client.

Based on the provided context, similar issues in Microsoft 365 sign-in scenarios are resolved by:

1. Having a tenant administrator open a support ticket in the Microsoft 365 Admin Center so Microsoft can investigate and correct identity or certificate issues on the service side.
2. Providing detailed sign-in information and logs with the ticket so support can identify the failing key or certificate and repair the trust.

For this scenario:

1. Ask a Microsoft 365 tenant admin to sign in to the Microsoft 365 Admin Center.
2. From Support → Help & support, open a new service request describing:
   • The full error message including AADSTS501209 and the key validity (Start=02/22/2016 15:25:51, End=02/22/2026 15:55:51).
   • The Request Id, Correlation Id, and Timestamp from the error.
   • That users cannot sign in to Microsoft 365 because the JWT signing key is expired.
3. Attach authentication/sign-in logs if requested by support. If the issue is impacting Microsoft 365 desktop apps, follow the documented guidance to collect MSOAID logs and include them in the ticket: see Use MSOAID for authentication issues from the referenced article.
4. Microsoft support will validate and update/renew the relevant signing key or certificate and repair the trust configuration so tokens are issued with a valid signature again.

If users are also seeing “Something went wrong [1001]” or other sign-in failures in Microsoft 365 desktop apps, the admin should:

1. Confirm no security software is interfering with the Web Account Manager (WAM) plug-in (AAD.BrokerPlugin).
2. As a temporary mitigation on affected Windows devices, run the documented PowerShell commands in user mode to repair WAM:

      Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown
      Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown
   

3. If the environment uses profile management or non-persistent VDI, review the documented guidance for device identity and user profile handling.

Because the error explicitly states the key is expired, the durable fix requires updating/renewing the signing key or certificate and, if federated or custom apps are involved, updating the relying party trust or app registration configuration. This must be done by an administrator or Microsoft support; end users cannot resolve it locally.

References:

• Error “Something Went Wrong [1001]” signing in to Microsoft 365 Desktop Applications
• Error “Something Went Wrong [1001]” signing in to Microsoft 365 Desktop Applications
• Error code 80070520, -2147023584, or 2147943712 when signing in to Microsoft 365 apps
• “We don't recognize this user ID or password” error when a user tries to sign in to the Microsoft 365 portal
• Error 80048163 when a federated user tries to sign in to Microsoft 365, Azure, or Intune
• "One of your on-premises Federation Service certificates is expiring" message in Microsoft 365 portal
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• How to fix the issue with MS Office asking you to log in every time you open an Office app - Microsoft Q&A
• Can't sign in to microsoft 365 desktop apps - Microsoft Q&A
• Tried loggin into Teams and Outlook and got this message on outlook, and unable to log into teams. - Microsoft Q&A
• Outlook ask for credentials every minute - Microsoft Q&A