Update Certificates in AD FS for Office365

As Office365 was launched just over a year ago, there will be organizations that will run into an issue with their AD FS (SSO) implementation, the result of which is that NO FEDERATED USER  is able to Sign In to any of the Office 365 Services!!!!

Set it and forget it works for just 1 year if you implemented AD FS the fast and easy way. A couple of things might have happened in those 12 months:

–          Token Signing Certificate is expired

–          MSOL Services Module for Windows Powerhell has not been updated

–          Sign In URL Certificate is expired

In this blog post I’ll do a walkthrough of the update process of the first two from this list. The web service (Sign In URL) probably involves a public certificate and has to be updated through IIS Management console after renewing your public web certificate.

Of course it is best to do this BEFORE the expiration dates!!!!

The starting point for renewing the Token Signing Certificate is taking a look a the current settings in both AD FS Management Console and MSOL Powershell:

Open MSOL Services Module for Windows Powershell and enter the following commands:

$cred = Get-Credential                    (enter your Online Admin credentials)

Connect-MsolService -Credential $cred

Set-MsolADFSContext –Computer <your adfs servername>

Get-MSOLFederationProperty –DomainName <your domainname>

The output looks something like this:pic1


Have a close look at the Token Signing Certificate “not after”  date and the thumbprint, which are both equal on Source: “your AD FS Server” and on Source “Microsoft Office365”.

The second step is to verify the current settings in the AD FS Management console:pic2


In this console you click “Add Token-Signing Certificate:pic3


Probably you’ll end up was this warning and this Wizard will not continue, fortunately the warning gives us exact information on how to add a new certificate to AD FS:pic4


Open Powershell as Administrator and run:

Add-PSSnapin Microsoft.Adfs.Powershell

Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true

You can check the new certificate by looking at the date in the AD FS Management Console:pic6


Now we have to update the Microsoft Federation Gateway with this newly created certificate on our AD FS Server because there is a difference between the settings on the two.pic7


The command for doing that is:

Update-MSOLFederatedDomain –DomainName <your domainname>

Check the result by entering the following command:

Get-MSOLFederationProperty –DomainName <your domainname>pic8


If you did not use the self-signed certificate in AD FS but assigned certificates through your local PKI please see the following website: http://support.microsoft.com/kb/2383983 .

To avoid any issues of this kind you can use the Microsoft Office 365 Federation Metadata Update Automation Installation Tool which you can download from:


Finally, it might be a good idea to check if you are using the latest version of the MSOL Service Module for Windows Powershell. For as far as I know this tool is not automatically updated by Windows Update.


Good Luck!

Leave a Reply

Your email address will not be published. Required fields are marked *