If you are deploying ADFS with Office 365, we have a federation metadata update tool available which we strongly strongly recommend you to deploy with any ADFS deployment used for federation with Office 365. This update tool will automatically update the Office 365 service using update-msolfederateddomain cmdlet when the ADFS token signing certificate renews on an annual basis. If you do not run this tool as a daily scheduled task on the ADFS server, you will have to manually monitor this token signing certificate renewal on the ADFS server by another means. I put together a quick FAQ below about this tool:
Where do I get the update tool to install on my ADFS server?
Link to the Federation Metadata update tool is here.
What happens if I don’t install this tool?
The risk of not running the federation metadata update tool is an end-user outage (token signing certificate expires once a year) will likely occur unless you manually monitor your ADFS servers for renewed token signing certificates.
Do I have to run this update tool on every ADFS server?
The update tool script only has to run on ONE ADFS server not every server. It will then run as a scheduled task once a day and check for metadata changes. If found, it will update Office 365 automatically.
What if I have multiple UPNs serviced by ADFS?
You need to obtain a list of all of your Federated domains by running the Get-MsolDomain command. Then, edit the single instance of the .ps1 file, included with the federation metadata update tool, located in C:\Office365-Scripts so that Update-MsolFederatedDomain is executed for each of the Federated domains in your tenant (add an additional execution line for each domain in your list). Be sure to utilize the -SupportMultiple domain parameter in the Update-MsolFederatedDomain cmdlet if you have multiple top-level Federated domains.
Can you provide me more technical details behind the ADFS Token Signing certificate renewal?
ADFS 2.0 has a featured called AutoCertificateRollover which renews ADFS certificates once a year. AutoCertificateRollover (ACR) generates 2 brand new certs annually. One of those certs, the token signing certificate, signs ALL assertions leaving your federation server. If Office 365 doesn’t know about that brand new token-signing cert, your entire organization will fail to sign in to any O365 resource. You can maintain this yourself with manual checking or utilize the federation metadata tool provided which will check for this change and update the Office 365 service automatically.
Will it do any harm if we install it on all of our ADFS servers in the farm?
Will this also work for ADFS that does not use Office 365?
This is only required for Office 365. It will update the self-signed cert without issue with standalone ADFS.
Why doesn't Office 365 automatically exchange metadata with the idP?
I noticed that the script now seems to grab the multiple domains and allows for the -SupportMultipleDomains switch now, is this correct? I would assume then that there's nothing for me to edit in this script?
yes, I wrote this blog post a year prior so looks like it has been updated to support that.
Hey Mark, does Office 365 now automatically pull the federation metadata? Our certificates rolled over and Office 365 seems to have been automatically updated. As far as we know the script is not set up in our environment.
@Shane - I believe this tool only applies to ADFS 2.0 and may be resolved in ADFS in 2012 and 2012 R2 however I could not find the articles verifying this.
This environment is ADFS 2.0, I imagine that the Office 365 platform might have been set up to automatically pull the federation metadata file to update the certificates.