Entra Cloud Sync and the Phantom Certificate

Posted on by

I posted this in a Microsoft forum but wanted to repeat it here for future reference. (My blog has outlived several iterations of Microsoft knowledge bases!)

The Issue

I installed Entra Cloud Sync on a Server 2025 Domain Controller. The Entra dashboard shows the status is “Healthy”. However the certificate issued to HISConnectorRegistrationCA.his.msappproxy.net expired on 9/21/2025 [three days before I posted in the forum].

Shouldn’t the certificate auto-renew? Why is it still “Healthy” after the certificate expires?

Does the Cloud Sync agent keep logs of its certificate renewal attempts? Where?

The expired certificate is in Certificates – Local Computer – Personal.

Note that this is about Cloud Sync, not Entra Connect.

A similar question was posted here but no public solution was provided:

https://learn.microsoft.com/en-au/answers/questions/2126684/hisconnectorregistrationca-msappproxy-net-certific

My Conclusion

I’ve pretty much given up on this. I could find no record of certificate renewal in the log files (C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace). I tried researching with Perplexity and ChatGPT. At first, they suggested looking for the renewed certificate in the GMSA service account created by the installer. But when I found no cert there, ChatGPT concluded that the cert is renewed in some hidden manner and the expired cert is left behind as confusing rubbish. See ChatGPT output below.

I sort of confirmed this by deleting the expired certificate and restarting the Microsoft Azure AD Connect Provisioning Agent. It started fine and still shows “Healthy” in the Entra dashboard. I hope that means it is still working. It is nerve-wracking to be planning a production deployment when the critical service certificate has simply disappeared.

  1. Why would the service create a certificate one way, then renew it in a different way, leaving the expired one generating multiple warnings in the event log every day?
  2. Where is the documentation on the certificate renewal process and storage location?

ChatGPT’s Comments

Where the provisioning agent’s certificate lives in current builds (2025 Cloud Sync)

The self-signed certificate with the GUID subject is still created, but in the latest builds it no longer resides in any user certificate store, including the GMSA hive.

The GMSA (pGMSA_<GUID>$) is primarily used as the service identity; it does not have a persistent user certificate store with the agent cert anymore.

The certificate is now handled entirely internally by the agent service, often in protected memory / internal database, or in files in the Config folder in a binary/encrypted format that is not readable.

That’s why:

  • HKU\<SID>\Software\Microsoft\SystemCertificates\My is empty.
  • Browsing LocalMachine\My shows the original expired cert, but no renewed cert exists there. Where the provisioning agent’s certificate lives in current builds (2025 Cloud Sync)
  • The self-signed certificate with the GUID subject is still created, but in the latest builds it no longer resides in any user certificate store, including the GMSA hive.
  • The GMSA (pGMSA_<GUID>$) is primarily used as the service identity; it does not have a persistent user certificate store with the agent cert anymore.
  • The certificate is now handled entirely internally by the agent service, often in protected memory / internal database, or in files in the Config folder in a binary/encrypted format that is not readable.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.