Mailbag: All ADFS All The Time (Issue #11)



AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at (hosted at Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either as you do today, or at our new site Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!


Hey y’all Mark and Tom here. Thinks are starting to return to normal so hopefully we should be back to a regular posting schedule. Tom should have some more time since HIS hockey team is already out of the playoffs while mine continues to march on. This mailbag is chalked full of ADFS goodness. Let’s get into it.


Expiring Token-Signing Certificate

Monitoring RPs metadata

Workplace Join Expiration

SQL Team installing ADFS

Stuff from the Interwebs



We have soon expiring token-signing certificates and we need to coordinate with multiple relying parties. Is there a way to use a separate token-signing certificate per replaying party?


No there is not. As Dave discussed in his ADFS Deep Dive Certificate Planning post ( validity period is something to consider and extending the token-signing certificate for greater than 1 year so the frequency of this type of change is not so frequent. We’ve also heard your feedback for this request.


We have several RPs that are set to automatically monitor and update the relying party metadata. How often does this refresh occur and how can I check that it was checked?


It should be refreshing every 24 hours. To validate that you’ll need to use the following PowerShell command to Get-AdfsRelyingPartyTrust –Name “<your relying party trust name>”. Here is an example of my O365 RP.


You can see the LastMonitoredTime of the RP.


Some of my workplace join devices are expiring after 30 days of inactive use. My environment requires me to make this longer, such as 90 days. Can you do this?


Yes you can, use the Set-ADFSDeviceRegistration –MaximumInactiveDays 90. More info can be found


My SQL team is asking me for the exact permissions required to install ADFS DB and set permissions. Is this documented anywhere?


We’ll do you one better. The Export-ADFSDeploymentSQLScript is what you need. It will output two files, one for creating the databases and one for the permissions.


Stuff from the Interwebs

This is some stuff we’ve set aside from the last few weeks. You probably found out about already but if you missed it.

-Baseball has many great things about it. One is when managers lose their minds, like this.

-We are finally getting another Dark Knight comic.

-Summer movies have started don’t miss any.

-Finally, everyone lost their mind about the Star Wars trailer, and it was cool. Let’s not forget what it could have been with Patton Oswalt’s great improv.


Mark ‘yes and’ Morowczynski and Tom ‘18 holes a day’ Moser