ADFS signing certificate rollover

A few weeks ago it was the time of the year that the signing certificate of ADFS was expiring. Last year it took us by surprise because the ADFS team did not notify us and we did not put it in our agenda’s that the certificate would expire. So last year we had a lot of people complaining that SharePoint 2013 was not available anymore.

This year we had it in our agenda’s that the certificate would roll over, so we were prepared for a roll over and had contact with the ADFS team and made an arrangement to roll over the certificate. I also found a nice script that can be ran to prepare for the roll over. This script will download the new certificate and when the secondary certificate becomes the primary the script will update SharePoint.

The problem we now had was that the ADFS team set ADFS auto roll over to false and generated a new one itself. This gave the issue that Office 365 and all the other applications that use the auto roll over to prepare for the switch. Because it was not on auto the connectors for Office 365 had to be updated manually.

This can be done with a simple command: “Update-MsolFederatedDomain”. This command needs to be ran for every federated domain. At this customer we have about 300 federated domains so that took about 4 hours to run.

This is the link to the script https://gist.github.com/arjancornelissen/7083e533d6650745a24ba82f978713bd. I found it on the internet but do not know where I found it.

My advice is to use the recommended setting of ADFS to auto roll over and use this script on SharePoint.