Learn Exchange the Guru way !!!


Hybrid: ADFS and Azure Federation Certificate Renewal

Twice a day all my Global Administrators were receiving the following email asking us to renew our certificate for Office 365. This might be the case with many of us so I am writing this blog to resolve the issue and help all of us.

Email copy

We are using AD FS for the federation between on premise and office 365 hybrid so we are following these steps. If you are using some other application for federation then your steps may vary.

If you will click on the “Update Trust Properties” then you will see the link mentioned in the Reference Link.

Reference Link:

There is a hotfix available for the ADFS proxy and manual renewal –

Steps to update the Cert:

-If you are running ADFS 2 or later then you don’t need to run any manual update if the AutoCertificateRollover attribute is set to True.

-To verify this login to the ADFS server and the below command


-Then look for the following:

AutoCertificateRollover :True

-You can manually enable it by running the following command

    Set-ADFSProperties -AutoCertificateRollover $true

-Also check to your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet which is not in the corporate network. Url is mentioned below:


In my case

In my case certificate has expired but link is working which was able to download the xml file.

-Let me First replace my new cert. I have just exported the cert from Exchange Admin Center because this is a wildcard cert.

-Cert installation

Right click the cert and click install, then select local machine and click next on this screen. Click Yes on UAC.

Click Next

Click next here

Click on “Place all certificates in the following store” then click on browse and select personal. Then click next and Finish.

-Now open elevated PowerShell and run the following command

-To check current cert and their Thumbprint

dir cert:\LocalMachine\My

-Copy the thumbprint for the new SSL certificate you wish to use, then run the following commands to update new cert with ADFS:

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint

Set-AdfsSslCertificate -Thumbprint thumbprint

-Make sure to restart ADFS Service on all the ADFS Farm.

-Check the ADFS Management

-We can also check at the PowerShell by running the command:

    Get-ADFSCertificate –CertificateType token-signing

-Now update the Azure certificate to stop the alert email.

-Open “Microsoft Azure Active Directory Module for Windows PowerShell” from desktop.

>Run the command

Run $cred=Get-Credential

When this cmdlet prompts you for credentials, type your cloud service administrator account credentials When prompted for credentials, type your cloud service administrator account credentials which we are using for ADFS/AADConnect.

>Run the command to connects you to the Azure cloud service

Connect-MsolService –Credential $cred

>Run the command if you are connecting to the cloud services from a non ADFS server

     Set-MSOLAdfscontext -Computer Context

Example: Set-MSOLAdfscontext -Computer

>Run the command to update the changes and cert info.

Update-MSOLFederatedDomain –DomainName Domainname

    Example: Update-MSOLFederatedDomain –DomainName

It should be updated now and email alerts should stop now. Run the following command to verify the cert has been updated with new cert.

Get-MsolFederationProperty -DomainName yourdomainname


Prabhat Nigam

Microsoft MVP | Office Servers and Services


One Response to “Hybrid: ADFS and Azure Federation Certificate Renewal”

  1. Weekly IT Newsletter – June 20-24, 2016 | Just a Lync Guy Says:

    […] Hybrid: ADFS and Azure Federation Certificate Renewal […]

Leave a Reply




Do NOT follow this link or you will be banned from the site!