Renewing/Switching AD FS certificates for Enterprise (with Office 365)

Upgrading the AD FS TokenSigning and TokenDecrypting certificates in an Enterprise environment with Office 365 and multiple other Relying Parties can be a hassle. But never fear, here are some advice and notes about the process:

First of all there are some stuff to do before you upgrade:

Before you upgrade

  • Plan ahead. Office 365 will stop working 15 days before the certificates actually expires.

  • Get a 10 years self-signed certificate for each type (signing and decrypt) to minimize the amount of times you'll have to do this in your - and your organization's - lifetime. There are two ways of doing this, one is bad (for most cases in an Enterprise) and it's to use the Set-ADFSProperties CertificateDuration 3650 -AutoCertificateRollover $true followed up with Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent and Update-AdfsCertificate -CertificateType Token-Signing -Urgent. But that will switch to the new certificates automatically right away and you will get more downtime than needed. The better way is to generate your own certificate as I showed here: Create a self-signed certificate the Powershell-way, distribute it to all AD FS servers (it's ok to import them in the AD FS service as well and let them be secondary) and let the AD FS service-account get read-access to the private key. Save the thumbprints for both certificates for the next step.

  • Inform everyone that's affected, ie all custom RP's. I cannot stress this enough because if they have the thumbprints of the certificates hardcoded (in config or automatically by getting them from the metadata once) it WILL stop working when you make the switch. A tip here is to use the "Note" field from AD FS RP's and make a quick and dirty Powershell-script to mail the affected RP's.

  • Make sure you have access to an Office 365 Cloud-Only Global Admin account (not synced from onPremise!!).

  • Make sure the Office 365 is named Microsoft Office 365 Identity Platform (ie make sure no one has renamed the default name).

Now over to the easy part ;)

When you do upgrade

  • Mark the certificates that you previously created and imported as primary

  • Open a new Powershell session (you might get an error: multiple_matching_tokens_detected if you don't) and Connect-MsolService with your online Global Admin creds followed up by Update-MsolFederatedDomain -DomainName You should see a

    Sucessfully updated '' domain

  • Relax ;)