When signing in to a Microsoft 365 application or Azure service, error AADSTS50064 with the message "CredentialAuthenticationError - The credential used to authenticate with the authentication scheme 'X509Certificate' is either unknown or invalid" indicates a problem with certificate-based authentication or a mismatch in hybrid-joined device credentials.

The Fix

Method 1: Fix the Certificate in App Registration

The certificate used by the app does not match the one registered in Entra ID, or it has expired.

In the Entra Admin Center:

1. Sign in to portal.azure.com > Microsoft Entra ID > App registrations

2. Select your application

3. Go to Certificates & secrets > Certificates tab

4. Compare the thumbprint with your client certificate (export your .pfx to get the SHA-1 thumbprint)

5. If it is incorrect or expired: Upload certificate > select your .cer file > Add

PowerShell method:

Install-Module Microsoft.Graph.Authentication -Force
Import-Module Microsoft.Graph.Applications
Connect-MgGraph -Scopes "Application.ReadWrite.All"

Check current certs
$app = Get-MgApplication -Filter "appId eq 'YOUR-APP-ID'"
$app.KeyCredentials

Upload new certificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\path\to\cert.pfx", "password")
$keyCred = @{
 Type = "AsymmetricX509Cert"
 Usage = "Verify"
 Key = [Convert]::ToBase64String($cert.RawData)
 StartDate = $cert.NotBefore
 EndDate = $cert.NotAfter
}
New-MgApplicationKeyCredential -ApplicationId $app.Id -BodyParameter $keyCred

If That Does Not Work: Sync Your UPN and Password

In hybrid environments, the on-premises UPN may not match the cloud UPN, or the password hash may not have synced.

On your Entra Connect server:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

Wait 30 minutes, then try signing in again.

To verify UPN sync:

1. Open Entra Connect

2. Tasks > Customize synchronization options

3. Confirm the UPN suffix matches your cloud domain (not something like contoso.local)

4. Run a full synchronization if needed

If That Does Not Work: Clear Cached Authentication

The device may be using stale credentials.

Sign out completely, close all browsers, then sign in using InPrivate/Incognito mode. If that works, clear your browser cache or use this command to clear cached tokens:

klist purge

For persistent issues on a hybrid-joined device, check the Primary Refresh Token:

dsregcmd /status

Look for errors in the "SSO State" section.

If That Does Not Work: Check Network Proxy

Corporate proxies performing TLS inspection can break certificate validation. Add these to your proxy bypass list:

  • login.microsoftonline.com
  • login.windows.net
  • .microsoft.com (for CRL/OCSP checks)
  • ocsp.msocsp.com

Registry method (requires admin rights):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Create DWORD: ProxyBypass

Set value: ".microsoftonline.com;<local>"

Restart your computer after applying.

Verify

Test authentication by signing into the affected application. Check Event Viewer > Applications and Services Logs > Microsoft > Windows > AAD > Operational for successful authentication events (Event ID 1098). In hybrid scenarios, run dsregcmd /status and confirm "AzureAdJoined : YES" and "SSO State" shows no errors.

If AADSTS50064 persists, check if MFA is enforced on the account. Certificate authentication cannot satisfy MFA as a first factor. Use a non-MFA admin account or adjust your Conditional Access policies.