![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 19%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
The error indicates that the credential used to sign the JWT (typically a client secret or certificate for a service principal) is expired. Even though no app registrations are visible, the issue is resolved by renewing the client secret in Microsoft Entra ID and then updating the dependent application with the new secret.
Use the following steps:
- In the Azure portal, open Microsoft Entra ID.
- Go to App registrations and ensure the filter is set to show All applications, not just “Owned applications.” Also check under your tenant’s subscriptions and directories if applicable.
- Once the correct application is identified, open it and select Certificates & secrets.
- Under Client secrets, create a New client secret to renew it. After creation, copy the new secret value that appears under the Key column.
- Go to the application or service that uses this app registration (for example, CycleCloud or any other service using that service principal). In its configuration UI, locate the place where the Application Secret (client secret) is stored.
- Replace the old secret with the new one and validate/save the configuration.
If the Surface user is authenticating through a service that relies on this service principal, updating the expired secret and saving the configuration will stop the “JWT Signature is Invalid – User key is expired” error on that device.
References: