Updating O365 metadata with manual certificate rollover RRS feed

  • Question

  • Hi,

    We have 2012 R2 ADFS servers with several relying parties, all but 1 can update the token signing and decrypting certificates automatically by grabbing our externally published metadata. 

    We need to renew the token signing and decrypting certificate. I'm planning on using the Power Shell commands below to do this:

    Set-ADFSProperties -CertificateDuration 1827
    Update-AdfsCertificate -CertificateType Token-Decrypting -urgent
    Update-AdfsCertificate -CertificateType Token-Signing -urgent

    Given that I'm manually updating and the ADFS metadata is publicly available, do I need to run the cmdlets below to avoid down time in O365 services?

    set-msoladfscontext -computer adfs01.contoso.com
    Update-MSOLFederatedDomain –DomainName contoso.com

    Thanks in advance

    Tuesday, July 9, 2019 10:48 AM


  • 1. Enable Certificate Rollover if it is not enabled:
    Set-ADFSProperties -AutoCertificateRollover $true
    2. Generate new self-signed certificates:
    Update-AdfsCertificate -CertificateType Token-Decrypting 
    Update-AdfsCertificate -CertificateType Token-Signing 
    From the ADFS Management Console You will see two secondary certificates are generated:
    3. Set-ADFSProperties -AutoCertificateRollover $false
    4. Agree with the application owners about the switch over date and time (should be after working hours to avoid user’s interruption and before the Critical Threshold date which is by default 2 days before the certificate expiration).
    To export the certificates without their private keys to your application partners:
    Open the ADFS Management Console: ADFS > Service > Certificates (Select the secondary certificates)
    For each token certificate, perform the following:
    •  Right-click the certificate > View Certificate…
    •  In the new window > Details (tab) > Copy to File (button) > Next
    •  Select: DER Encoded Binary X.509 (.CER) -or- Base-64 Encoded X.509 (.CER)
    •  Next > Browse to a location to save the file and give it a name
    •  Next > Finish 
    5. At the agreed time of the switch over:
    Form the Primary ADFS Management console, set both secondary certificates as primary:
           6-  Update the Office 365 metadata using Windows Azure PowerShell:
           Connect-MsolService    ( Provide a global admin credentials) 
           Update-MsolFederatedDomain -DomainName domain.com -SupportMultipleDomain
            7- Enable the Certificate Rollover back
           Set-ADFSProperties -AutoCertificateRollover $true

    Thursday, July 11, 2019 3:15 PM