Most Azure services get their SSL/TLS certificates from a known set of intermediate certificate authorities (CAs) that Microsoft operates. Microsoft publishes details of these CAs in its Certificate Practice Statement (CPS). The following CA’s have been recently introduced:
Microsoft IT TLS CA 1
Microsoft IT TLS CA 2
Microsoft IT TLS CA 4
Microsoft IT TLS CA 5
You must include the new CAs in the driver’s truststore file. Otherwise, the driver reports an invalid certificate exception in the trace.
To workaround this issue, perform the steps described in Securing Communication with Azure AD Graph. You must repeat the procedure for all the certificates generated by all the four CAs. After the certificates are imported into the truststore file, the Azure driver works properly.
The name of a certificate is specified by the ‘Issued by’ field of the certificate.
Microsoft keeps replacing the CAs that it uses to validate Microsoft Graph API; therefore, you must refresh the browser every time the API is launched. In case a new certificate is available, you must download it.