For organizations relying on Microsoft’s Active Directory Federation Services (ADFS) for single sign-on access to Office 365, automating the process of renewing the Token-decrypting and Token-signing certificates, and updating the 365 Federation metadata is crucial to preventing unscheduled downtime for end users.
When certificates need to be renewed, accounts designated as global administrators in Office 365 will start to receive emails and pop-up notices on the 365 portal like this:
Clicking on the update now link will take you to this page which will walk you through the process of renewing the various certificates. The Token-signing and Token-decrypting certificates are self-signed and expire each year by default. I recommend utilizing the Auto Rollover feature of ADFS 2.0 for these certificates. According to Microsoft:
“By default, AD FS 2.0 uses token-signing certificates that are valid for one year. A new certificate is automatically generated 20 days before each certificate expires. Once the new certificate is generated, there are five days remaining in the grace period in which AD FS 2.0 will not use the certificate for signatures. It is critical that the certificate information in Windows Azure AD is updated prior to the end of the grace period.”
Updating the certificate information in Azure AD (for Office 365) can be done manually or automated. The manual process requires a series of PowerShell commands to be run on one of your ADFS servers. Documentation on the manual process can be found here. The automated process utilizes Windows task scheduler to run the necessary PowerShell commands on a nightly basis. Once the token-signing certificate is updated (either manually or using the Auto Rollover feature), the task will take care of updating the federation metadata with Office 365.
There are a few system requirements to use the update tool:
- You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell
- You need to have a functioning AD FS 2.0 Federation Service
- You need to have access to Global Administrator credentials for your Office 365 tenant
- You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
- This tool must be executed on a writable Federation Server
- The currently logged on user must be a member of the local Administrators group
- The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://go.microsoft.com/fwlink/p/?LinkId=281794&clcid=0x409
The federation metadata update tool can be found here.