diff --git a/docs/identity/hybrid/connect/how-to-connect-emergency-ad-fs-certificate-rotation.md b/docs/identity/hybrid/connect/how-to-connect-emergency-ad-fs-certificate-rotation.md index fa3018f5c20..43510f18318 100644 --- a/docs/identity/hybrid/connect/how-to-connect-emergency-ad-fs-certificate-rotation.md +++ b/docs/identity/hybrid/connect/how-to-connect-emergency-ad-fs-certificate-rotation.md @@ -24,11 +24,18 @@ If you need to rotate the Active Directory Federation Services (AD FS) certifica ## Determine your Token Signing Certificate thumbprint -To revoke the old Token Signing Certificate that AD FS is currently using, you need to determine the thumbprint of the token-signing certificate. Do the following: +To revoke the old Token Signing Certificate that AD FS is currently using, you need to determine the thumbprint of the token-signing certificate. From your ADFS Server do the following: -1. Connect to the Microsoft Online Service by running in PowerShell `Connect-MsolService`. +1. Connect to the Microsoft Entra Module by running in PowerShell: -1. Document both your on-premises and cloud Token Signing Certificate thumbprint and expiration dates by running `Get-MsolFederationProperty -DomainName `. + `Connect-Entra -Scopes 'Domain.Read.All'`. + +1. Document both your on-premises and cloud Token Signing Certificate thumbprint and expiration dates by running: + + *`Get-AdfsCertificate -CertificateType token-signing>` + + *`Get-EntraFederationProperty -DomainName | FL Source, SigningCertificate`. + 1. Copy down the thumbprint. You'll use it later to remove the existing certificates. You can also get the thumbprint by using AD FS Management. Go to **Service** > **Certificates**, right-click the certificate, select **View certificate**, and then select **Details**. @@ -123,28 +130,28 @@ Now that you've added the first certificate, made it primary, and removed the ol ## Update Microsoft Entra ID with the new token-signing certificate -1. Open the Azure AD PowerShell module. Alternatively, open Windows PowerShell, and then run the `Import-Module msonline` command. - 1. Connect to Microsoft Entra ID by running the following command: - `Connect-MsolService` + `Connect-Entra -Scopes 'Domain.Read.All'` 1. Enter your [Hybrid Identity Administrator](/entra/identity/role-based-access-control/permissions-reference#hybrid-identity-administrator) credentials. - > [!Note] - > If you're running these commands on a computer that isn't the primary federation server, enter the following command first: - > - > `Set-MsolADFSContext -Computer ` - > - > Replace \ with the name of the AD FS server and then, at the prompt, enter the administrator credentials for the AD FS server. +1. Optionally, verify whether an update is required by checking the current certificate information in Microsoft Entra ID. To do so, run the following command: + + `Get-EntraFederationProperty -DomainName | FL Source, SigningCertificate` and convert the Base64 Encoded cert to a readble format to check the certificate expiration and thumbprint. + +1. To update the certificate information in Microsoft Entra ID, run the following command: `Update-MgDomainFederationConfiguration -DomainId -InternalDomainFederationId `. + + >[!IMPORTANT] + + You can get the **-InternalDomainFederationId** value by running the commando below: -1. Optionally, verify whether an update is required by checking the current certificate information in Microsoft Entra ID. To do so, run the following command: `Get-MsolFederationProperty`. Enter the name of the Federated domain when prompted. +* `Get-EntraFederationProperty -DomainName your_domain.com` -1. To update the certificate information in Microsoft Entra ID, run the following command: `Update-MsolFederatedDomain` and then enter the domain name when prompted. + Get-EntraFedProperty - > [!Note] - > If you receive an error when you run this command, run `Update-MsolFederatedDomain -SupportMultipleDomain` and then, at the prompt, enter the domain name. + ## Replace SSL certificates If you need to replace your token-signing certificate because of a compromise, you should also revoke and replace the Secure Sockets Layer (SSL) certificates for AD FS and your Web Application Proxy (WAP) servers.