These proactive emails are geared towards ensuring that you are prepared for certificate replacement, if needed.


By default, AD FS 2.0 utilizes self-signed certificates for token-signing and token-decrypting. This feature is called AutoCertificateRollover, and you can ensure that this is enabled by examining a couple of items:

View the current token-signing and token-decrypting certificates

  1. Launch AD FS 2.0 Management on a Primary AD FS 2.0 server
  2. Expand the Service node and select Certificates
  3. In the center pane, you’ll see three certificates listed: Service Communications, Token-Decrypting, and Token-Signing. AutoCertificateRollover only manages the Token-Decrypting and Token-Signing certificates for you
  4. If you expand the Subject and Issuer columns in the AD FS 2.0 Management console, you’ll see that the Subject and Issuer values match. This means the certificates are self-signed by AutoCertificateRollover, and AD FS 2.0 will renew these certificates automatically for you (no action required).
  5. If the Subject and Issuer columns do NOT match, that means you manually disabled AutoCertificateRollover and intend to manually replace these certificates on your own



View the current True/False value of AutoCertificateRolloverEnabled

  1. On a Primary AD FS 2.0 server, launch an Administrative PowerShell console
  2. Type the following commands:


Add-PsSnapin Microsoft.Adfs.Powershell



3. In the output, find AutoCertificateRolloverEnabled and note if it is set to True or False. If it is set to True, then AD FS 2.0 is set to renew these certificates automatically for you. If it is set to False, you have manually disabled AutoCertificateRollover, and you intend to replace these certificates on your own.




Windows Azure Active Directory auto-pull

Windows Azure AD will automatically pull new certificate information from your Federation Metadata XML (published by your Federation Service) in order to learn about your new certificates. No action is required as long as AutoCertificateRollover is enabled in AD FS 2.0.



Scripted Push Tool

Microsoft offers a push tool so that you are automatically pushing your Federation Metadata to Office 365 on a schedule. We recommend ALL of our identity federation customers run this tool as an added measure to ensure metadata freshness between your federation service and ours:


Microsoft Office 365 Federation Metadata Update Automation Installation Tool




If you prefer to manually execute a command to update metadata rather than run the automated tool on a schedule

  1. On a Primary AD FS 2.0 server, make sure Microsoft Online Services Module for Windows PowerShell is installed and launch an Administrative PowerShell console
  2. Type the following commands:


NOTE: The –SupportMultipleDomain parameter is ONLY needed if you have multiple top-level domains (TLDs) that are utilizing Federated authentication. If you have just one Federated top-level domain, do NOT utilize the –SupportMultipleDomain parameter


Import-Module MsOnline


Update-MsolFederatedDomain –DomainName “enter-your-Federated-domain-name-here” -SupportMultipleDomain


3. Verify your metadata is fresh (certificate thumbprints match) by executing the following command:


Get-MsolFederationProperty –DomainName “enter-your-Federated-domain-name-here”




ONLY if you have DISABLED AutoCertificateRollover, you will need to manually replace the token-signing and token-decrypting certificates based on the following guidance:


AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates