How to renew Azure MFA Certificate for ADFS Server

Posted in : ADFS, Microsoft, Powershell By Oliwer Sundgren Translate with Google ⟶

1 year ago

ADFS may be an old system but it’s still used is enterprise environments.
If you have integrated Azure MFA with ADFS then you may have noticed that there is a certificate used to tie together your ADFS servers with the Azure MFA service principal in your Azure AD tenant, this is critical for the MFA method to function correctly.

The certificate is valid for 2 years and will therefore need to be manually renewed. Note that this is a self-signed certificate so you don’t need to go out and get a new third party signed certificate.

How to get started:

First of all, note how many ADFS servers you have in your farm since this procedure will need to be done on all ADFS servers in the farm.

1: Sign in to one of your ADFS Servers and open the Personal Cert store (certlm.msc)
And find a certificate that contains your Azure AD Tenant ID/Name (Usually doman.onmicrosoft.com) The Issuer and Subject will be “OU=Microsoft AD FS Azure MFA”

2: Note when this certificate expires, if it has already expired when you are going to renew it then the procedure further down will look a bit different. If it as not yet expired then it’s OK.

Renew the certificate:

Now we will need to create a new certificate on all ADFS Servers in the farm, this will be done via a Powershell command.

1: Start PowerShell as an Administrator on your ADFS Server

2a: Run the following command if the current certificate is still valid
$Certificate = New-AdfsAzureMfaTenantCertificate -TenantId <tenant.onmicrosoft.com> -Renew $true

2b: Run the following command if the current certificate is not valid
$Certificate = New-AdfsAzureMfaTenantCertificate -TenantId <tenant.onmicrosoft.com>

What this command will do is generate a new self-signed certificate that is valid for 2 years
Repeat these steps on all the ADFS Servers in the farm.

Connect the new ADFS Certificates to the Azure MFA Service in the Azure AD Tenant:

After we’ve created new certificates in the previous steps for all ADFS servers we will have to tie them to the service principal service for Azure MFA in your Azure AD tenant. Do this by following the below steps

1: In the same PowerShell window as you had opened while creating the new ceriticate, run the following command to connect to your Azure AD tenant
Connect-MsolService
Sign in with your Azure AD Admin account.

2: Now its time to add the new certificate as a valid credential to the Azure MFA service principal. Do this by running the following command
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type Asymmetric -Usage Verify -Value $Certificate

Note that the AppPrincipalID is not unique in every tenant so you can copy and run this command without having to edit any parameters.

3: If your previous certificate had already expired when you followed these steps, then you will have to restart the ADFS Service on the server in order for the changes to take effect.

Repeat these steps on all the ADFS Servers in the farm and then you are done!

I hope this helped you.
If you have any questions or want to discuss this further then feel free to comment on this post or contact me via email on Oliwer.sundgren@xenit.se

Thanks for reading!

Tags : ADFS, Azure AD, How to, MFA, Microsoft, PowerShell