Sassy Geek
Atom Feed

Dealing with expiring certificates in ADFS

When using ADFS 3.0 for SSO with Office 365 the token certificates will be by default renewed every 365 days. This procedure should be the same for ADFS 2.0 but PowerShell commands can be different.

The result is following alert “One of your on-premises Federation Services certificates is expiring. Failure to renew the certificate and update trust properties within X days will result in a loss of access to all Office 365 services for all users.”


ADFS is using token certificates to sign and decrypt all traffic between the ADFS server and Office 365. These certificates are self-signed and have a default duration time of 365 days. This duration can be increased if you want, but there is a security argument to be made for not having long-lasting self-signed certificates or even self-signed certificates to begin with. But take that warning message seriously, if the certificate doesn't auto enroll, stuff WILL break if you do not regenerate those certificates.

Here is short explanation on how to renew them:

You can check in the ADFS console that there are two token certificates, one for signing and one for decrypting:

You should now run the following command in PowerShell on your ADFS Server:

Import-module ADFS
Update-ADFSCertificate –Urgent

You will now see that there are total of 4 token certificates, two primary and two secondary for decrypting and signing:

By default 5 days after generating secondary certificates ADFS will switch those to primary. To not interrupt SSO it's important that you update the trust between Office 365 Tennant and ADFS before it happens.

You should then run this commands in PowerShell on a server where Azure Active Directory module for PowerShell is installed:

Import-Module MSOnline
# Enter administrator credentials for office 365

If you use different computer the you ADFS server:
Set-MsolADFSContext -Computer <your ADFS server name>
# Enter administrator credentials you ADFS server

Update-MsolFederatedDomain -Domain <your domain name>

To confirm that this has worked you can either log on to your tenant and check that the alert is gone or run


and check the new certificate expiry date.


You can find more information here: