Auto Cert Rollover in ADFS and setting the new token signing as primary and changing the old one as secondary | Renew federation certificates for Office 365 and Azure Active Directory

Renew federation certificates for Office 365 and Azure Active Directory

Auto Cert Rollover in ADFS and setting the new token signing as primary and changing the old one as secondary 

If you get a token signing certificate when the old certificate is expiring, the new certificate will sitting only as "secondary" until the promotion threshold is met .



you cannot change the cert as Primary. It will be grayed out.

Step 1: Check the AutoCertificateRollover state

get into the Primary ADFS server


run   Get-Adfsproperties in PowerShell with elevated rights.


check if autocertificateRollover is set to "true"

here the threshold is 5 days so the new certificate will become as Primary 5 days before the expiry of the original certificate.

Step 2: Confirm that AD FS and Azure AD are in sync

Install-Module MSOnline
Connect to Azure AD using the MSOnline PowerShell-Module.Import-Module MSOnlineConnect-MsolService
Check the certificates configured in AD FS and Azure AD trust properties for the specified domain.Get-MsolFederationProperty -DomainName <domain.name> | FL Source, TokenSigningCertificate
If the thumbprints in both the outputs match, your certificates are in sync with Azure AD.

if not run Update-MSOLFederatedDomain –DomainName <domain>

Renew the token signing certificate automatically (recommended) 

You don't need to perform any manual steps if both of the following are true:You have deployed Web Application Proxy, which can enable access to the federation metadata from the extranet.You are using the AD FS default configuration (AutoCertificateRollover is enabled).Check the following to confirm that the certificate can be automatically updated.

1. The AD FS property AutoCertificateRollover must be set to True. This indicates that AD FS will automatically generate new token signing and token decryption certificates, before the old ones expire.

2. The AD FS federation metadata is publicly accessible. Check that your federation metadata is publicly accessible by navigating to the following URL from a computer on the public internet (off of the corporate network):https://(your_FS_name)/federationmetadata/2007-06/federationmetadata.xmlwhere (your_FS_name)is replaced with the federation service host name your organization uses, such as fs.contoso.com. If you are able to verify both of these settings successfully, you do not have to do anything else.

Example: https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml

REFER:


https://blogs.msdn.microsoft.com/vilath/2015/09/02/how-to-update-certificates-for-ad-fs-3-0/

How to delete a managed Domain in Azure.

How to delete a managed Domain in Azure.

Some time we might be in a need to delete the managed domain in Azure. Follow the below mentioned steps to delete the managed Domain or custom Domain. However you will not be able to delete the Primary domain (abc.onmicrosoft.com) as it is the name of your directory abc.onmicrosoft.com).

• Log in to Portal.azure.com with global Admin credentials

• Azure Active Directory => Custom Domain names

• Click on the custom domain name => Click Delete

To delete a custom domain name, you must first ensure that no resources in your directory rely on the domain name.

You can’t delete a domain name from your directory if:

• ·        Any user has a user name, email address, or proxy address that includes the domain name.
• ·        Any group has an email address or proxy address that includes the domain name.
• ·         Any application in your Azure AD has an app ID URI that includes the domain name.

You must change or delete any such resource in your Azure AD directory before you can delete the custom domain name.

• 
  
  Refer the docs for more info.
  https://docs.microsoft.com/en-us/azure/active-directory/active-directory-domains-manage-azure-portal
  https://msdn.microsoft.com/library/azure/e1ef403f-3347-4409-8f46-d72dafa116e0#BKMK_ManageDomains

Getting error in ADFS proxy 2.0 "Encountered error during federation passive request"

Some customers who are using 2008 server for ADFs proxy may sometime get errors
  "Encountered error during federation passive request"

This usually happens when they change the certificate which is about to expire.

Usually for this kind of issue where the ADFS service and metadata when not accessible extenally we check for certificate bindings

we will be going to PowerShell  with admin rights

run
get-Webapplicationproxysslcertificate
compare the thumbprint with ADFS

but in 2008 R2 we don't have this option to run PS command

so run the ADFS proxy 2.0 wizard that will be fixing the most of the issues.

Azure MFA Unexpected-Failed Result - MFA App Password calls being rejected with bad username/password

My users that use App passwords for the native mail client are not getting mail.

there has been many customers that are saying app passwords are not working with azure.

The back end team has fixed the issue. If you still have problem create a support ticket in Azure portal.