7,925 questions
No it wont affect any user experience in your scenario
You can follow this:
https://learn.microsoft.com/en-us/exchange/configure-a-federation-trust-exchange-2013-help
Replace an expired federation certificate
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 28.999999999999996%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMQ%3C/text%3E%3C/svg%3E)
MS-QuestBox
20
Reputation points
We have to recreate the Federated Trust since the self-issue cert expired. Runing Exhange 2016 Hybrid DAG with no mailboxes on prem..
When we remove the federated trust will that affect access, users ability to log in to O365 online mailboxes until its recreated?
Will doing the following:
- Remove Federated Domain
- Remove Federation Trust
- Create a new federation certificate
- Configure the new certificate as the federation certificate
- Update the federation proof of domain ownership TXT record in external DNS
- Verify the distribution of the new federation certificate to all Exchange servers
- FederationTrust UpdateMetadata
- Add Federated Domains
Exchange | Exchange Server | Management
{count} votes
-
MS-QuestBox 20 Reputation points
2023-09-27T20:19:56.74+00:00 Hello, I got the following from MS- your thoughts:
"No, the user will not be able to login to Office 365 while the Federation Trust is removed. The Federation Trust is a one-to-one relationship with the Azure AD authentication service that defines parameters and authentication statements applicable to your Exchange organization. Without the Federation Trust, the user will not be able to authenticate with Azure AD and access Office 365 services.
To restore the user’s access, you need to re-create the Federation Trust with Azure AD and configure the organization relationship with Office 365.
To resolve this issue, we recommend the following steps:
- Remove the existing Federation Trust by running the following command in Exchange Management Shell:
Remove-FederationTrust -Identity “Microsoft Federation Gateway” - Create a new Federation Trust by running the following command in Exchange Management Shell:
New-FederationTrust -Name “Microsoft Federation Gateway” -Thumbprint “0A4B6C7D8E9F0A1B2C3D4E5F6A7B8C9D0A1B2C3D” -MetadataURL https://fs.microsoftonline.com/federationmetadata/federationmetadata.xml
Note: Replace the thumbprint value with the actual thumbprint of the certificate.
3. Verify that the new Federation Trust is created by running the following command in Exchange Management Shell:
Get-FederationTrust
You should see the new Federation Trust listed.
4. Restart the Microsoft Exchange Active Directory Topology service by running the following command in Exchange Management Shell:
Restart-Service MSExchangeADTopology
This step is necessary to ensure that the new Federation Trust is used by Exchange.
After completing these steps, the user should be able to log in while the Federation Trust is removed.
Please let us know if this solution works for you. If not, please feel free to contact us again, and we will troubleshoot further.
Thank you for choosing Microsoft 365. We value your business and look forward to serving you in the future. Have a great day ahead." - Remove the existing Federation Trust by running the following command in Exchange Management Shell:
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2023-09-27T21:03:05.21+00:00 that is completely untrue. Sounds like they are confusing federated domains or something with ADFS
-
MS-QuestBox 20 Reputation points
2023-09-27T21:26:34.4266667+00:00 Thanks Andy. Wanted that confirmation.
We will attempt and report back with our findings.
It will be a week.
Thanks again.
Sign in to comment
Accepted answer
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2023-09-26T16:53:24.7066667+00:00 -
MS-QuestBox 20 Reputation points
2023-09-27T20:27:39.09+00:00 Hello, please see my comment.
-
MS-QuestBox 20 Reputation points
2023-09-30T20:45:20.6933333+00:00 Can I use the command to generate new cert even if the USERDNSDOMIN is .local
*test:$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Federated Sharing" -DomainName $env:USERDNSDOMAIN -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski
Sign in to comment -
3 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 13%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jarvis Sun-MSFT 10,231 Reputation points Microsoft External Staff2023-09-27T05:29:45.2666667+00:00 When you remove the federated trust, it will not affect users’ ability to log in to their mailboxes. However, it is important to note that the federated trust is a critical component of the hybrid configuration. Removing it will disable certain features such as free/busy calendar sharing and mailbox moves between on-premises and Exchange Online. Once you recreate the federated trust, these features will be restored.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
MS-QuestBox 20 Reputation points
2023-09-27T20:27:54.4433333+00:00 Hello, please see my comment.
-
Jarvis Sun-MSFT 10,231 Reputation points Microsoft External Staff
2023-09-28T07:26:20.8733333+00:00 Agree with Andy, it's not true as I know. Wait for your update.
-
MS-QuestBox 20 Reputation points
2023-09-28T21:34:32.1766667+00:00 Thanks Jarvis.
I am recreating the Federated Trust to avoid errors when running HCW to add more domains. I have no mailboxes on prem.
Will update on this issue asap.
-
MS-QuestBox 20 Reputation points
2023-10-03T18:18:06.2566667+00:00 Thank you for your help.
Sign in to comment -
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more