Learn how to generate, update, and activate app-level signing certificates for Office 365 integrations
with WS-Federation Manual using PowerShell as the sign-on method.
About this task
SAML assertions sent from Okta to Office 365 are cryptographically signed using a signing
certificate. If your active signing
certificate expires, Microsoft rejects all SAML assertions, which blocks user access to Office
365 apps. To avoid service disruptions, ensure that you rotate your signing certificate before it expires,
which involves generating and using a new certificate.
Before you begin
- Sign in as a super admin.
- Verify that the sign on method configured for your Office 365 app instance is WS-Federation Manual using PowerShell. See Configure Single Sign-On for Office 365.
- Ensure that you have sufficient permission in Microsoft Entra ID to register a certificate using PowerShell commands.
- Create a backup of your current settings using the
Get-MgDomainFederationConfiguration command. If needed, you
can use this backup to restore your settings.
-
In the Admin Console, go to .
- Search for and select the Office 365 app integration whose certificate you want to rotate.
- Go to the Sign On tab.
- Click Generate new certificate in the SAML Signing
Certificates section.
Warning: You must register the new certificate with Microsoft before you activate it. If you activate the new
certificate for a WS-Federation Manual configuration without registering it, then all SSO operations
for the integration fail.
To register the new certificate, complete the following steps:
- Select View IdP metadata from the certificate's Actions menu.
- Copy the X509Certificate value of the certificate and retain it for a future step. For example,
if your metadata contains
<ds:X509Certificate>MIID...CF/c</ds:X509Certificate>, copy MIID...CF/c. - Select View Setup Instructions from the sidebar.
- Copy the provided command from the Update the signing certificate for an already federated domain section.
- Replace
<NewCertificate> in the command with the X509Certificate value
that you copied from the IdP metadata. The certificate value must not contain any spaces. - Enter and run the command in a PowerShell terminal. If the command results in an error, correct
the error and repeat this set of instructions. Should your attempts continue to fail, you can use
Update-MgDomainFederationConfiguration to restore your configuration using the backup
that you created before starting this task.
-
Select Activate from the Actions menu of your new signing
certificate. This changes the status of the new certificate to Active and sets the status of the
previous certificate to Inactive. SSO operations for the app instance now use
the new certificate. If desired, you can delete the old certificate by selecting
Delete from its Actions menu.
- Wait five minutes for the certificate to take effect. Verify that SSO is functioning correctly by
signing in to an Office 365 app with a federated user.