Get in touch with us!

Update the certificates on your AD FS servers

When using federation and SSO with Office 365 there will be AD FS servers involved. You may at some point get e-mail or in the portal see something like this:


This is normal behavior and should actually be solved by itself. If you are using AD FS 2.0 or later, Office 365 and Azure AD will automatically renew your certificates before it expires. There’s no need to perform any manual steps. This assumes though that the AD FS property AutoCertificateRollover must be set to True, indicating that AD FS will automatically generate new token signing and token decryption certificates before the old ones expire. If the property is False, you could be using custom certificates. This post doesn’t handle that.

The servers are using both public and “self-signed” certificates. These certificates are used in the communication between the AD FS servers and the cloud. By default, two of them are issued during installation and last for a year. The third one is the public certificate that is issued by a third party and last as long as if was issued for.

On the WAP (ADFS proxies) it uses only a public certificate.

These certificates are used in the AD FS servers:

  • Service Communications, used to encrypt all client connectivity to the AD FS server.
  • Token-Signing, used to sign the token sent to the relaying party to prove that it came from AD FS.
  • Token-Decrypting, encrypts the payload of a SAML token.

Validate your ADFS configuration:

  1. Logon to the ADFS server (primary in the case of a farm)
  2. Open the Windows PowerShell with elevation
  3. Add-PSSnapin Microsoft.ADFS.PowerShell (Not necessary on AD FS 3.0)
  4. Get-ADFSProperties


These settings that are interesting in this case:

  • AutoCertificateRollover: True – Default certificates are used and the system will renew the certificates automatically. Not the public one
  • CertificateCriticalThreshold: 2– Days prior to expiry of the certificate before a new certificate is generated and promoted if AutoCertificateRollover has not performed naturally.
  • CertificateDuration: 365– Validity period of the auto-generated Certificate.
  • CertificateGenerationThreshold: 20– Days before expiration of current primary a new certificate will be generated.
  • CertificatePromotionThreshold: 5– Days the newly generated certificate will exist before being promoted from secondary to primary.
  • CertificateRolloverInterval: 720– Interval in minutes at which we check to see if a new certificate needs to be generated.

If the settings have the same values as listed above the reenrollment process will happen. But of course there is a possibility to fix it right away. This will get rid of the annoying warning.

Update your ADFS server certificates:
Do not do this under work hours. When done with point four the AD FS will be down until number six is done.

  1. Logon to the ADFS server (primary in the case of a farm)
  2. Open the Windows PowerShell with elevatation
  3. Add-PSSnapin Microsoft.ADFS.PowerShell (Not necessary on AD FS 3.0)
  4. Update-ADFSCertificate
  5. Connect-MSOLService, logon with a global admin account
  6. Update-MsolFederatedDomain -DomainName –SupportMultipleDomain, the SupportMultipleDomain is used whenever there is more than one federated domain. Replace with your primary domain.

You should now be able to see the new expiredates in the AD FS Management Console. And the warning should be gone.


Update your public certificates:

Once again do not do this under work hours. This will generate a glitch for users login in during the update.
Request and install a the new SSL certificate from a public third-party CA. Install this certificate with the private key in the local computer’s store on all AD FS servers in the farm including the ADFS proxies (WAP).


  1. Logon to the primary AD FS server and open an elevated PowerShell.
  2. dir cert:LocalMachineMy
  3. Copy the thumbprint from the new certificate.
  4. Set-ADFSCertificate –Thumbprint “thumbprint”




On each of every Web application proxy (AD FS Proxy) run the command:

Set-WebApplicationProxySslCertificate -Thumbprint “thumbprint”


After that You’re all set!


  1. Torri Hudspeth

    Fantastic post , I learned a lot from the insight , Does anyone know where my business would be able to get access to a blank a form form to work with ?

  2. Juan Cailima

    I am curious to understand under what conditions a certificate would not autorotate even if the rollover action is set to “true”?
    A few weeks ago our thumbprints were exactly the same. Now they are not, but all is still working.
    I see the cert for on-premise already renewed, but the one on O365 has not. It has now been 10 hours plus…




Submit a Comment

Your email address will not be published. Required fields are marked *