How do I sync my on-prem ADFS server certificates with Azure ADFS? or vice versa.

Timothy Lee 1 Reputation point
2022-04-26T06:22:36.297+00:00

We have an on-prem ADFS server and Azure ADFS servers, currently the AZURE ones have priority on the LB but I checked our on-prem on and the Token-Signing and Token-Decrypting certificates are different on each server, seems like AutoCertificateRollover ran independently of each other and now I have mismatching certs, the secondary certs are the same on both sets of servers, however the primary (new auto created certs) have different thumbprints on them.

I guess I have 2 questions,

  1. Does it matter that the certificates are not the same?
  2. How do I sync them? I've tried running Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent and Update-AdfsCertificate -CertificateType Token-Signing -Urgent then running Update-MsolFederatedDomain -DomainName <domain> -SupportMultipleDomain on the on-prem ADFS server but that didn't update the certs in AZURE and now they are completely different...

Any help would be much appreciated,

Thanks,

Tim

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Mark Morowczynski 251 Reputation points Microsoft Employee
    2023-01-22T14:46:50.4233333+00:00

    If you are looking to migrate those apps to Azure AD [https://www.microsoft.com/en-us/security/business/identity-access/upgrade-adfs & [https://techcommunity.microsoft.com/t5/community-events-list/microsoft-workshops-how-to-successfully-migrate-away-from-ad-fs/m-p/3668480

    0 comments No comments