Skip to content

Update how-to-connect-emergency-ad-fs-certificate-rotation.md #1695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update how-to-connect-emergency-ad-fs-certificate-rotation.md #1695

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 23 additions & 16 deletions .../identity/hybrid/connect/how-to-connect-emergency-ad-fs-certificate-rotation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,18 @@ If you need to rotate the Active Directory Federation Services (AD FS) certifica

## Determine your Token Signing Certificate thumbprint

To revoke the old Token Signing Certificate that AD FS is currently using, you need to determine the thumbprint of the token-signing certificate. Do the following:
To revoke the old Token Signing Certificate that AD FS is currently using, you need to determine the thumbprint of the token-signing certificate. From your ADFS Server do the following:

1. Connect to the Microsoft Online Service by running in PowerShell `Connect-MsolService`.
1. Connect to the Microsoft Entra Module by running in PowerShell:

1. Document both your on-premises and cloud Token Signing Certificate thumbprint and expiration dates by running `Get-MsolFederationProperty -DomainName <domain>`.
`Connect-Entra -Scopes 'Domain.Read.All'`.

1. Document both your on-premises and cloud Token Signing Certificate thumbprint and expiration dates by running:

*`Get-AdfsCertificate -CertificateType token-signing>`

*`Get-EntraFederationProperty -DomainName <your_domain.com> | FL Source, SigningCertificate`.

1. Copy down the thumbprint. You'll use it later to remove the existing certificates.

You can also get the thumbprint by using AD FS Management. Go to **Service** > **Certificates**, right-click the certificate, select **View certificate**, and then select **Details**.
Expand Down Expand Up @@ -123,28 +130,28 @@ Now that you've added the first certificate, made it primary, and removed the ol

## Update Microsoft Entra ID with the new token-signing certificate

1. Open the Azure AD PowerShell module. Alternatively, open Windows PowerShell, and then run the `Import-Module msonline` command.

1. Connect to Microsoft Entra ID by running the following command:

`Connect-MsolService`
`Connect-Entra -Scopes 'Domain.Read.All'`

1. Enter your [Hybrid Identity Administrator](/entra/identity/role-based-access-control/permissions-reference#hybrid-identity-administrator) credentials.

> [!Note]
> If you're running these commands on a computer that isn't the primary federation server, enter the following command first:
>
> `Set-MsolADFSContext -Computer <servername>`
>
> Replace \<servername\> with the name of the AD FS server and then, at the prompt, enter the administrator credentials for the AD FS server.
1. Optionally, verify whether an update is required by checking the current certificate information in Microsoft Entra ID. To do so, run the following command:

`Get-EntraFederationProperty -DomainName <your_domain.com> | FL Source, SigningCertificate` and convert the Base64 Encoded cert to a readble format to check the certificate expiration and thumbprint.

1. To update the certificate information in Microsoft Entra ID, run the following command: `Update-MgDomainFederationConfiguration -DomainId <your_domain.com> -InternalDomainFederationId <hex_domainID>`.

>[!IMPORTANT]

You can get the **-InternalDomainFederationId** value by running the commando below:

1. Optionally, verify whether an update is required by checking the current certificate information in Microsoft Entra ID. To do so, run the following command: `Get-MsolFederationProperty`. Enter the name of the Federated domain when prompted.
* `Get-EntraFederationProperty -DomainName your_domain.com`

1. To update the certificate information in Microsoft Entra ID, run the following command: `Update-MsolFederatedDomain` and then enter the domain name when prompted.
<img width="1774" height="165" alt="Get-EntraFedProperty" src="https://github.com/user-attachments/assets/5eac3a9f-a1e8-49e7-b3fb-36360a2ee211" />

> [!Note]
> If you receive an error when you run this command, run `Update-MsolFederatedDomain -SupportMultipleDomain` and then, at the prompt, enter the domain name.


## Replace SSL certificates

If you need to replace your token-signing certificate because of a compromise, you should also revoke and replace the Secure Sockets Layer (SSL) certificates for AD FS and your Web Application Proxy (WAP) servers.
Expand Down