Hybrid: ADFS and Azure Federation Certificate Renewal
Twice a day all my Global Administrators were receiving the following email asking us to renew our certificate for Office 365. This might be the case with many of us so I am writing this blog to resolve the issue and help all of us.
We are using AD FS for the federation between on premise and office 365 hybrid so we are following these steps. If you are using some other application for federation then your steps may vary.
If you will click on the “Update Trust Properties” then you will see the link mentioned in the Reference Link.
There is a hotfix available for the ADFS proxy and manual renewal – https://support.microsoft.com/en-us/kb/3094446
Steps to update the Cert:
-If you are running ADFS 2 or later then you don’t need to run any manual update if the AutoCertificateRollover attribute is set to True.
-To verify this login to the ADFS server and the below command
-Then look for the following:
-You can manually enable it by running the following command
Set-ADFSProperties -AutoCertificateRollover $true
-Also check to your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet which is not in the corporate network. Url is mentioned below:
In my case
In my case certificate has expired but link is working which was able to download the xml file.
-Let me First replace my new cert. I have just exported the cert from Exchange Admin Center because this is a wildcard cert.
Right click the cert and click install, then select local machine and click next on this screen. Click Yes on UAC.
Click next here
Click on “Place all certificates in the following store” then click on browse and select personal. Then click next and Finish.
-Now open elevated PowerShell and run the following command
-To check current cert and their Thumbprint
-Copy the thumbprint for the new SSL certificate you wish to use, then run the following commands to update new cert with ADFS:
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint
Set-AdfsSslCertificate -Thumbprint thumbprint
-Make sure to restart ADFS Service on all the ADFS Farm.
-Check the ADFS Management
-We can also check at the PowerShell by running the command:
Get-ADFSCertificate –CertificateType token-signing
-Now update the Azure certificate to stop the alert email.
-Open “Microsoft Azure Active Directory Module for Windows PowerShell” from desktop.
>Run the command
When this cmdlet prompts you for credentials, type your cloud service administrator account credentials When prompted for credentials, type your cloud service administrator account credentials which we are using for ADFS/AADConnect.
>Run the command to connects you to the Azure cloud service
Connect-MsolService –Credential $cred
>Run the command if you are connecting to the cloud services from a non ADFS server
Set-MSOLAdfscontext -Computer Context
Example: Set-MSOLAdfscontext -Computer Azaad.G5.com
>Run the command to update the changes and cert info.
Update-MSOLFederatedDomain –DomainName Domainname
Example: Update-MSOLFederatedDomain –DomainName Go5llc.com
It should be updated now and email alerts should stop now. Run the following command to verify the cert has been updated with new cert.
Get-MsolFederationProperty -DomainName yourdomainname
Microsoft MVP | Office Servers and Services