If you are deploying ADFS with Office 365, we have a federation metadata update tool available which we strongly strongly recommend you to deploy with any ADFS deployment used for federation with Office 365.  This update tool will automatically update the Office 365 service using update-msolfederateddomain cmdlet when the ADFS token signing certificate renews on an annual basis. If you do not run this tool as a daily scheduled task on the ADFS server, you will have to manually monitor this token signing certificate renewal on the ADFS server by another means.  I put together a quick FAQ below about this tool:

 

Where do I get the update tool to install on my ADFS server?

Link to the Federation Metadata update tool is here.

What happens if I don’t install this tool?

The risk of not running the federation metadata update tool is an end-user outage (token signing certificate expires once a year) will likely occur unless you manually monitor your ADFS servers for renewed token signing certificates.

 

Do I have to run this update tool on every ADFS server?

The update tool script only has to run on ONE ADFS server not every server. It will then run as a scheduled task once a day and check for metadata changes. If found, it will update Office 365 automatically.


What if I have multiple UPNs serviced by ADFS?

You need to obtain a list of all of your Federated domains by running the Get-MsolDomain command. Then, edit the single instance of the .ps1 file, included with the federation metadata update tool, located in C:\Office365-Scripts so that Update-MsolFederatedDomain is executed for each of the Federated domains in your tenant (add an additional execution line for each domain in your list). Be sure to utilize the -SupportMultiple domain parameter in the Update-MsolFederatedDomain cmdlet if you have multiple top-level Federated domains.

 

Can you provide me more technical details behind the ADFS Token Signing certificate renewal?

ADFS 2.0 has a featured called AutoCertificateRollover which renews ADFS certificates once a year. AutoCertificateRollover (ACR) generates 2 brand new certs annually. One of those certs, the token signing certificate, signs ALL assertions leaving your federation server. If Office 365 doesn’t know about that brand new token-signing cert, your entire organization will fail to sign in to any O365 resource. You can maintain this yourself with manual checking or utilize the federation metadata tool provided which will check for this change and update the Office 365 service automatically.