Share via

Renew ADFS certificate for O365

Jaded Smith 0 Reputation points
2023-04-21T18:55:21.4766667+00:00

Hello, our ADFS cert is coming due and we have generated new Token Signing/Decrypting certificates. I've worked with our vendors to update on their. But I'm confused on a couple steps in this Microsoft doc that I will outline https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-o365-certs  Step 2: Confirm that AD FS and Azure AD are in sync "Get-MsolFederationProperty -DomainName <domain.name> | FL Source, TokenSigningCertificate" I'm assuming <domain.name> is my company.onmicrosoft.com correct?? If Yes, then the Output says our domain does not exist which I suspect is because we're not necessarily Federated. We're a Managed Domain where we sync objects to Azure AD. Step 2: Update the new token signing certificates for the Microsoft 365 trust Update-MSOLFederatedDomain –DomainName <domain> If the above statement is true, then shouldn't Microsoft 365 detect the new certificates automatically once I set them to Primary? Seems this next command is only if we're a Federated so I'm apprehensive to run it. the overall end goal is to ensure no hiccup in services or users being able to sign in. The AutoCertificateRollover attribute is set to $false. I suspect the last admin wanted to manually manage creating the certs...

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mark Morowczynski 251 Reputation points Microsoft Employee
    2023-04-23T00:12:20.72+00:00

    The mycompany.onmicrosoft.com domain cannot be federated. What you should put in is whatever your mycompany.com is. Probably whatever the suffix is to your email or how you sign-in to things like O365. Next week we are running a free workshop on how to migrate off of ADFS to AAD only. If your domain is truly setup as managed, you should focus on migrating those apps from ADFS to AAD. https://techcommunity.microsoft.com/t5/community-events-list/microsoft-workshops-how-to-successfully-migrate-away-from-ad-fs/m-p/3668480

  2. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2023-04-27T00:43:51.5633333+00:00

    @Jaded Smith Adding to the above answer, while performing the steps in order to update token signing certificate to O365, Execute Get-MsolDomain cmdlet which will give information about the domains which are federated in your Azure AD tenant.

    Once you identify the domain which is federated, you can use that domain name to update the token signing certificate.

    Reference: https://learn.microsoft.com/en-us/answers/questions/1163702/what-is-difference-between-federated-domain-vs-man

    Let me know if you still have any questions, we can connect offline over teams to discuss further on the same.

    You can reach us by sending us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary"

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.