Important information about your Office 365 single sign-on deployment


“Dear Administrator,

In order to provide your organization with uninterrupted access to Office 365 and Microsoft Azure Active Directory (Azure AD), you need to ensure your certificate for the domain(s) is renewed and updated in Azure AD right away.”

This alert may raise a few hair strands if you are new to ADFS, or just seeing the alert for the first time. You are indeed receiving this alert because Microsoft was not able to automatically check for updates on your ADFS token signing certificates in, hence unable to update them in Azure AD. There are other possible reasons like AD FS server’s federation metadata is not published externally, or simply because are using a 3rd party STS. I’ll focus this article only for ADFS scenarios. 

If you’ve received such alert from MSFT about a possible incorrect configuration of your ADFS for one or more federated domains. To ensure your users keep enjoying the office 365 services uninterruptedly, you should check the following from your Primary ADFS Server.

1. ADFS Certificates

ADFS certificates can be checked from the ADFS Management Snap-in, or PowerShell (get-adfscertificate). Please check the following to confirm that the certificates are valid and can be automatically updated before expiry. All ADFS certificates should be currently valid i.e. Not Expired. 

Service Communication certificates:

Service Communication certificates need to be replaced manually. I'll write another article for the steps.

Token signing and decrypting certificates

For these certificates, the AD FS property AutoCertificateRollover should be set True. This ensures AD FS will automatically generate new token signing and token decryption certificates before the old ones expire. Token Decrypting and Token signing certificates are self-signed. New certificates are generated before the expiry of current ones if you turn AutoCertRollover True in your ADFS Properties. Newly generated certificates are first set secondary before they are automatically promoted to primary certificates, 5 days before the expiry of old certificates.  

Get-AdfsProperties | select *Cert*

Administrator: Windows Azure Active Directory Module for Windows PowerSheII 
urn : oasis: names : SAML : 2.8: ac:classes: TLSClient, 
urn :oasis: names :SAML : 2.8: ac:classes :XSB9... } 
. True 
. 728

To save yourself from dealing with a possible ADFS Certificate related alert in the M365 admin centre, you should change the "CertificateGenerationThreshold" is set to more than 30, for example, 35. 

Set-AdfsProperties -CertificateGenerationThreshold 35

2. ADFS Federation Metadata

The AD FS federation metadata should be accessible publicly. This helps Microsoft alert (or not raise a false alarm) about token signing or decrypting certificates due for expiry. Check that your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet (off of the corporate network):
https://(your_FS_name)/federationmetadata/2007-06/federationmetadata.xml where (your_FS_name) is replaced with the federation service hostname your organization uses. 

If the metadata is publicly accessible, from home office or 3G/4G hotspots, the page will look like below.  If the page does not load, check for network connections being blocked on your firewall.


I welcome you to write your comments here..