[English] What do I have to do if I received the alert on the Office 365 portal or an E-mail informing that one of the federation services certificates is expiring


[English] – Content Developed by the Shared Services Support Team.


This information is normally related to the Token-Signing and Token-Decrypting Certificates.

To overcome the current situation, most of the times you do not need to do anything. By default, your ADFS server is configured for “AutoCertificateRollover”. This means that the new certificates will be automatically generated and promoted to primary. You simply need to confirm that your on-premises AD FS infrastructure is configured as displayed:

1) Go to Powershell
2) Get-ADFSProperties |fl AutoCertificateRollover

If the output is “AutoCertificateRollover: True”, you do not need to do anything, your Token-Signing and Token-Decrypting Certificates will update automatically. You can also check that "NextTokenSigningCertificate" contains the information of the next certificate to be used:

1) Go to Powershell
2) Connect-MsolService
3) Get-MsolFederationProperty
4) Check "NextTokenSigningCertificate" information for both "ADFS Server" and "Microsoft Office 365".

On rare occasions, after the automatic switch to the new Certificates, you might need to update the O365 federation information:

Option a)
Check if you previously have installed the automatic update federation tool:

If not, install it using the following script – Microsoft Office 365 Federation Metadata Update Automation Installation Tool – http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc.

Option b)
Manually update federation information (only needed once after the Certificates renewal)
1) Connect-MsolService
2) Insert O365 Admin Credentials
3) Update-MsolFederatedDomain -DomainName yourdomain.name -SupportMultipleDomain

And that’s it.

If for some reason the “AutoCertificateRollover: false”, please find guidance on the following article http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx.

Additional Notes:
To now more about Certificates on ADFS, please go to the following article http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx

To understand the difference in the date displayed on the alert message, and the date of expire of the certificate on the ADFS, a new article is available on this blog http://blogs.technet.com/b/tfg/archive/2014/04/21/token-signing-and-token-decrypt-certificates-expiration-process-and-dates.aspx.

Comments (0)

Skip to main content