New-AdfsAzureMfaTenantCertificate
Creates a certificate for the AD FS farm to use to connect to Azure MFA, or returns the currently configured certificate.
Syntax
New-AdfsAzureMfaTenantCertificate
-TenantId <String>
[-Renew <Boolean>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
The New-AdfsAzureMfaTenantCertificate cmdlet creates a certificate for an Active Directory Federation Services (AD FS) farm to use to connect to Azure Multi-Factor Authentication (MFA), or returns the currently configured certificate.
The cmdlet looks in the local machine My store for a certificate with Issuer and Subject equal to:
CN = <tenant ID>OU = Microsoft AD FS Azure MFA
If it does not find one, it generates it.
Examples
Example 1: Create a certificate and enable Azure MFA on an AD FS farm
PS C:\> $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
PS C:\> New-AzureADServicePrincipalKeyCredential -ObjectId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
PS C:\> Set-AdfsAzureMfaTenant -TenantId <your tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720These commands create a certificate for Azure MFA, register the certificate in a tenant, and enable Azure MFA on an AD FS farm.
Note
Customers are encouraged to use the newer Azure Active Directory PowerShell 2.0 module. For more information about the v2.0 module, see AzureAD PowerShell 2.0.
Example 2: Determine which certificate Azure MFA is using
$CertInBase64 = New-AdfsAzureMfaTenantCertificate -TenantID
$cert = Security.Cryptography.X509Certificates.X509Certificate2
$cert | Format-List *After AD FS has been configured for Azure MFA, this command determines which certificate Azure MFA is using and when it expires.
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Renew
Renew certificate. Do not use if the certificate has already expired. In this scenario, the existing expired certificate is replaced with a new certificate.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TenantId
Specifies the GUID representation of the Microsoft Entra tenant ID.
This can be found in the URL bar of the Microsoft Entra admin center, as in this example: https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<tenantID_GUID>/directoryQuickStart
Alternatively, you can use the Login-AzureRmAccount cmdlet to get the tenant ID.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |