According to Renew federation certificates for Microsoft 365 and Microsoft Entra ID we should enable rollover on certificates and after controlled switch between primary and secondary certificates our federation between Azure and ADFS should be updated, but:
- the next signing certificate on Azure was from two periods ago (one period is 2 years, so it was 4 years old, now we have certs from 2025 to 2027, previous period it was 2023 to 2025, but two periods ago it was 2021 to 2023)
- so the next signing certificate wasn't updated till 4 years
- on daily basis we have AutoCertificateRollover disabled
- when it should be enabled? just before enforced generation of the new certificates? it wasn't
- so we changed it manually - after replacement of certificates (flip between secondary and primary) they've been exported to base64, imported in powershell (copy paste from .cer file to variable)
- connection to Entra - Connect-Entra -Scopes 'Domain.ReadWrite.All' (different possible values are like User.ReadWrite.All, Directory.ReadWrite.All, Group.ReadWrite.All - not suitable in our case)
- and update using Update-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' (like contoso.com) -InternalDomainFederationId 'our-federation-id' -signingcertificate $variableWithCert
- at first we've tested on -nextsigningcertificate, later on -signingcertificate
- confirmation on Get-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' -InternalDomainFederatoinId 'our-federation-id' (pipe) Format-list - there we could confirmed that certificates were replaced
- additional confirmation was on Teams on mobile devices - after logout and logon it was obious that it is working
Pay Attention!!! You must have BGA account without MFA (if you have enabled MFA) - probably You will have issues connecting to Azure after certificate replacement. Maybe You should open connection (powershell session) before any steps - just in case.
