diff --git a/.github/workflows/jobs.yaml b/.github/workflows/jobs.yaml
index cf70f4754..f83b79faa 100644
--- a/.github/workflows/jobs.yaml
+++ b/.github/workflows/jobs.yaml
@@ -1542,7 +1542,7 @@ jobs:
           go tool cover -func=all.out | grep total > tmp2
           result=`cat tmp2 | awk 'END {print $3}'`
           result=${result%\%}
-          threshold=63.7
+          threshold=64.9
           echo "Result:"
           echo "$result%"
           if (( $(echo "$result >= $threshold" |bc -l) )); then
diff --git a/operatorapi/tenants.go b/operatorapi/tenants.go
index 9cabd2568..59abdfd20 100644
--- a/operatorapi/tenants.go
+++ b/operatorapi/tenants.go
@@ -844,10 +844,7 @@ func updateTenantIdentityProvider(ctx context.Context, operatorClient OperatorCl
 	tenant.EnsureDefaults()
 	// update tenant CRD
 	_, err = operatorClient.TenantUpdate(ctx, tenant, metav1.UpdateOptions{})
-	if err != nil {
-		return err
-	}
-	return nil
+	return err
 }
 
 func getTenantIdentityProviderResponse(session *models.Principal, params operator_api.TenantIdentityProviderParams) (*models.IdpConfiguration, *models.Error) {
@@ -1217,10 +1214,7 @@ func updateTenantSecurity(ctx context.Context, operatorClient OperatorClientI, c
 	minInst.Spec.ExternalClientCertSecrets = newExternalClientCertSecrets
 	minInst.Spec.ExternalCaCertSecret = newExternalCaCertSecret
 	_, err = operatorClient.TenantUpdate(ctx, minInst, metav1.UpdateOptions{})
-	if err != nil {
-		return err
-	}
-	return nil
+	return err
 }
 
 func listTenants(ctx context.Context, operatorClient OperatorClientI, namespace string, limit *int32) (*models.ListTenantsResponse, error) {
diff --git a/operatorapi/tenants_2_test.go b/operatorapi/tenants_2_test.go
index 1fb66b63d..dead84383 100644
--- a/operatorapi/tenants_2_test.go
+++ b/operatorapi/tenants_2_test.go
@@ -169,7 +169,7 @@ func (suite *TenantTestSuite) TestCreateTenantWithWrongActiveDirectoryConfig() {
 	}
 	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
 		if strings.HasPrefix(secret.Name, fmt.Sprintf("%s-user-", *params.Body.Name)) {
-			return nil, errors.New("mock-error")
+			return nil, errors.New("mock-create-error")
 		}
 
 		return nil, nil
@@ -192,7 +192,7 @@ func (suite *TenantTestSuite) TestCreateTenantWithWrongBuiltInUsers() {
 	}
 	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
 		if strings.HasPrefix(secret.Name, fmt.Sprintf("%s-user-", *params.Body.Name)) {
-			return nil, errors.New("mock-error")
+			return nil, errors.New("mock-create-error")
 		}
 		return nil, nil
 	}
@@ -260,7 +260,7 @@ func (suite *TenantTestSuite) TestCreateTenantWithWrongCAsCertificates() {
 	}
 	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
 		if strings.HasPrefix(secret.Name, fmt.Sprintf("%s-ca-certificate-", *params.Body.Name)) {
-			return nil, errors.New("mock-error")
+			return nil, errors.New("mock-create-error")
 		}
 		return nil, nil
 	}
@@ -434,7 +434,7 @@ func (suite *TenantTestSuite) TestGetTenantSecurityWithWrongServerCertificates()
 		},
 	}
 	k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-		return nil, errors.New("mock-error")
+		return nil, errors.New("mock-get-error")
 	}
 	_, err := getTenantSecurity(ctx, suite.k8sclient, tenant)
 	suite.assert.NotNil(err)
@@ -452,7 +452,7 @@ func (suite *TenantTestSuite) TestGetTenantSecurityWithWrongClientCertificates()
 		},
 	}
 	k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-		return nil, errors.New("mock-error")
+		return nil, errors.New("mock-get-error")
 	}
 	_, err := getTenantSecurity(ctx, suite.k8sclient, tenant)
 	suite.assert.NotNil(err)
@@ -470,7 +470,7 @@ func (suite *TenantTestSuite) TestGetTenantSecurityWithWrongCACertificates() {
 		},
 	}
 	k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-		return nil, errors.New("mock-error")
+		return nil, errors.New("mock-get-error")
 	}
 	_, err := getTenantSecurity(ctx, suite.k8sclient, tenant)
 	suite.assert.NotNil(err)
@@ -488,7 +488,7 @@ func (suite *TenantTestSuite) TestGetTenantSecurityWithoutError() {
 		},
 	}
 	k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
-		return nil, errors.New("mock-error")
+		return nil, errors.New("mock-get-error")
 	}
 	sec, err := getTenantSecurity(ctx, suite.k8sclient, tenant)
 	suite.assert.NotNil(sec)
@@ -502,11 +502,123 @@ func (suite *TenantTestSuite) TestUpdateTenantSecurityHandlerWithError() {
 	suite.assert.True(ok)
 }
 
+func (suite *TenantTestSuite) TestUpdateTenantSecurityWrongServerCertificates() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				ExternalCertSecret: []*miniov2.LocalCertificateReference{{
+					Name: "mock-crt",
+				}},
+			},
+		}, nil
+	}
+	params, _ := suite.initUpdateTenantSecurityRequest()
+	params.Body.CustomCertificates.MinioServerCertificates = []*models.KeyPairConfiguration{{}}
+	err := updateTenantSecurity(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantSecurityWrongClientCertificates() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				ExternalClientCertSecrets: []*miniov2.LocalCertificateReference{{
+					Name: "mock-crt",
+				}},
+			},
+		}, nil
+	}
+	params, _ := suite.initUpdateTenantSecurityRequest()
+	params.Body.CustomCertificates.MinioClientCertificates = []*models.KeyPairConfiguration{{}}
+	err := updateTenantSecurity(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantSecurityWrongCACertificates() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				ExternalCaCertSecret: []*miniov2.LocalCertificateReference{{
+					Name: "mock-crt",
+				}},
+			},
+		}, nil
+	}
+	params, _ := suite.initUpdateTenantSecurityRequest()
+	params.Body.CustomCertificates.MinioCAsCertificates = []string{"mock-ca-certificate"}
+	err := updateTenantSecurity(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantSecurityWrongCASecretCertificates() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				ExternalCaCertSecret: []*miniov2.LocalCertificateReference{{
+					Name: "mock-crt",
+				}},
+			},
+		}, nil
+	}
+	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
+		return nil, errors.New("mock-create-error")
+	}
+	params, _ := suite.initUpdateTenantSecurityRequest()
+	params.Body.CustomCertificates.MinioCAsCertificates = []string{"bW9jaw=="}
+	err := updateTenantSecurity(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantSecurityWrongSC() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{}, nil
+	}
+	params, _ := suite.initUpdateTenantSecurityRequest()
+	err := updateTenantSecurity(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantSecurityWithoutError() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				Pools: []miniov2.Pool{{}},
+			},
+		}, nil
+	}
+	opClientTenantUpdateMock = func(ctx context.Context, tenant *miniov2.Tenant, opts metav1.UpdateOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{}, nil
+	}
+	runAsUser := "1000"
+	runAsGroup := "1000"
+	fsGroup := "1000"
+	params, _ := suite.initUpdateTenantSecurityRequest()
+	params.Body.SecurityContext = &models.SecurityContext{
+		RunAsUser:  &runAsUser,
+		RunAsGroup: &runAsGroup,
+		FsGroup:    fsGroup,
+	}
+	err := updateTenantSecurity(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.Nil(err)
+}
+
 func (suite *TenantTestSuite) initUpdateTenantSecurityRequest() (params operator_api.UpdateTenantSecurityParams, api operations.OperatorAPI) {
 	registerTenantHandlers(&api)
 	params.HTTPRequest = &http.Request{}
 	params.Namespace = "mock-namespace"
 	params.Tenant = "mock-tenant"
+	params.Body = &models.UpdateTenantSecurityRequest{
+		CustomCertificates: &models.UpdateTenantSecurityRequestCustomCertificates{
+			SecretsToBeDeleted: []string{"mock-certificate"},
+		},
+	}
+
 	return params, api
 }
 
@@ -603,9 +715,92 @@ func (suite *TenantTestSuite) initUpdateTenantIdentityProviderRequest() (params
 	params.HTTPRequest = &http.Request{}
 	params.Namespace = "mock-namespace"
 	params.Tenant = "mock-tenant"
+	params.Body = &models.IdpConfiguration{}
 	return params, api
 }
 
+func (suite *TenantTestSuite) TestUpdateTenantIdentityProviderWithTenantError() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return nil, errors.New("mock")
+	}
+	params, _ := suite.initUpdateTenantIdentityProviderRequest()
+	err := updateTenantIdentityProvider(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantIdentityProviderWithTenantConfigurationError() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				CredsSecret: &corev1.LocalObjectReference{
+					Name: "mock",
+				},
+			},
+		}, nil
+	}
+	k8sclientGetSecretMock = func(ctx context.Context, namespace, secretName string, opts metav1.GetOptions) (*corev1.Secret, error) {
+		return nil, errors.New("mock-get-error")
+	}
+	params, _ := suite.initUpdateTenantIdentityProviderRequest()
+	err := updateTenantIdentityProvider(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantIdentityProviderWithSecretCreationError() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{
+			Spec: miniov2.TenantSpec{
+				Env: []corev1.EnvVar{
+					{Name: "mock", Value: "mock"},
+				},
+			},
+		}, nil
+	}
+	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
+		return nil, errors.New("mock-create-error")
+	}
+	params, _ := suite.initUpdateTenantIdentityProviderRequest()
+	err := updateTenantIdentityProvider(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.NotNil(err)
+}
+
+func (suite *TenantTestSuite) TestUpdateTenantIdentityProviderWithoutError() {
+	ctx := context.Background()
+	opClientTenantGetMock = func(ctx context.Context, namespace string, tenantName string, options metav1.GetOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{}, nil
+	}
+	opClientTenantUpdateMock = func(ctx context.Context, tenant *miniov2.Tenant, opts metav1.UpdateOptions) (*miniov2.Tenant, error) {
+		return &miniov2.Tenant{}, nil
+	}
+	k8sClientCreateSecretMock = func(ctx context.Context, namespace string, secret *v1.Secret, opts metav1.CreateOptions) (*v1.Secret, error) {
+		return nil, nil
+	}
+	params, _ := suite.initUpdateTenantIdentityProviderRequest()
+	params.Body.ActiveDirectory = &models.IdpConfigurationActiveDirectory{}
+	configURL := "mock"
+	clientID := "mock"
+	clientSecret := "mock"
+	claimName := "mock"
+	params.Body.Oidc = &models.IdpConfigurationOidc{
+		ConfigurationURL: &configURL,
+		ClientID:         &clientID,
+		SecretID:         &clientSecret,
+		ClaimName:        &claimName,
+	}
+	params.Body.ActiveDirectory = &models.IdpConfigurationActiveDirectory{
+		URL:                 &configURL,
+		LookupBindDn:        &claimName,
+		SkipTLSVerification: true,
+		ServerInsecure:      true,
+		ServerStartTLS:      true,
+	}
+	err := updateTenantIdentityProvider(ctx, suite.opClient, suite.k8sclient, "mock-namespace", params)
+	suite.assert.Nil(err)
+}
+
 func (suite *TenantTestSuite) TestDeleteTenantHandlerWithError() {
 	params, api := suite.initDeleteTenantRequest()
 	response := api.OperatorAPIDeleteTenantHandler.Handle(params, &models.Principal{})