As Office365 was launched just over a year ago, there will be organizations that will run into an issue with their AD FS (SSO) implementation, the result of which is that NO FEDERATED USER  is able to Sign In to any of the Office 365 Services!!!!

Set it and forget it works for just 1 year if you implemented AD FS the fast and easy way. A couple of things might have happened in those 12 months:

–          Token Signing Certificate is expired

–          MSOL Services Module for Windows Powerhell has not been updated

–          Sign In URL Certificate is expired

In this blog post I’ll do a walkthrough of the update process of the first two from this list. The web service (Sign In URL) probably involves a public certificate and has to be updated through IIS Management console after renewing your public web certificate.

Of course it is best to do this BEFORE the expiration dates!!!!

The starting point for renewing the Token Signing Certificate is taking a look a the current settings in both AD FS Management Console and MSOL Powershell:

Open MSOL Services Module for Windows Powershell and enter the following commands:

$cred = Get-Credential                    (enter your Online Admin credentials)

Connect-MsolService -Credential $cred

Set-MsolADFSContext –Computer <your adfs servername>

Get-MSOLFederationProperty –DomainName <your domainname>

The output looks something like this:pic1


Have a close look at the Token Signing Certificate “not after”  date and the thumbprint, which are both equal on Source: “your AD FS Server” and on Source “Microsoft Office365”.

The second step is to verify the current settings in the AD FS Management console:pic2


In this console you click “Add Token-Signing Certificate:pic3


Probably you’ll end up was this warning and this Wizard will not continue, fortunately the warning gives us exact information on how to add a new certificate to AD FS:pic4


Open Powershell as Administrator and run:

Add-PSSnapin Microsoft.Adfs.Powershell

Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true

You can check the new certificate by looking at the date in the AD FS Management Console:pic6


Now we have to update the Microsoft Federation Gateway with this newly created certificate on our AD FS Server because there is a difference between the settings on the two.pic7


The command for doing that is:

Update-MSOLFederatedDomain –DomainName <your domainname>

Check the result by entering the following command:

Get-MSOLFederationProperty –DomainName <your domainname>pic8


If you did not use the self-signed certificate in AD FS but assigned certificates through your local PKI please see the following website: .

To avoid any issues of this kind you can use the Microsoft Office 365 Federation Metadata Update Automation Installation Tool which you can download from:

Finally, it might be a good idea to check if you are using the latest version of the MSOL Service Module for Windows Powershell. For as far as I know this tool is not automatically updated by Windows Update.


Good Luck!

by on Jul 7, 2012 at 9:40 PM

11 Responses to “Update Certificates in AD FS for Office365”

  1. En hierom ben ik blij dat ik je blog nog wel eens bezoek.
    Ik kreeg vanochtend een mail van office 365 dat dit moest gebeuren en de link in de mail ging naar een 404 pagina ;-).

  2. Dimitar Georgiev says:

    Thank you for the good article! It helped me a lot!

  3. Martin Jensen says:

    Thank you for the great help it turned out to be! 🙂

  4. Bert Barske says:

    Nu is alleen de Token-signing certificaat van een nieuwe datum voorzien.
    De Token-decrypting certificaat staat nog steeds voor over 23 dagen verlopen !!!
    Heb ik iets gemist, of moet die op een andere manier?

  5. Bert Barske says:

    Duidelijke weergave.
    Voor beide certificaten heb ik :
    Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true
    Update-ADFSCertificate -CertificateType: Token-Decrypting -Urgent:$true
    Alles lijkt goed.
    Na restarten adfs en adfs proxy was de (studenten) mail niet meer extern te benaderen.
    Alleen interne webmail aanmeldingen werkten correct.
    Had er ook nog iets op de proxy server ingericht aangepast moeten worden?

  6. Tim Kuhnell says:

    The images are lost – could be very convenient to have them back.

  7. […] time I followed a different link I started the same way as before, replacing the SSL certificate in IIS. However, I didn’t […]

Leave a Reply