Rotate an Office 365 signing certificate for WS-Federation Manual using PowerShell

Learn how to generate, update, and activate app-level signing certificates for Office 365 integrations with WS-Federation Manual using PowerShell as the sign-on method.

About this task

SAML assertions sent from Okta to Office 365 are cryptographically signed using a signing certificate. If your active signing certificate expires, Microsoft rejects all SAML assertions, which blocks user access to Office 365 apps. To avoid service disruptions, ensure that you rotate your signing certificate before it expires, which involves generating and using a new certificate.

Before you begin

  • Sign in as a super admin.
  • Verify that the sign on method configured for your Office 365 app instance is WS-Federation Manual using PowerShell. See Configure Single Sign-On for Office 365.
  • Ensure that you have sufficient permission in Microsoft Entra ID to register a certificate using PowerShell commands.
  • Create a backup of your current settings using the Get-MgDomainFederationConfiguration command. If needed, you can use this backup to restore your settings.
  1. In the Admin Console, go to Applications > Applications.
  2. Search for and select the Office 365 app integration whose certificate you want to rotate.
  3. Go to the Sign On tab.
  4. Click Generate new certificate in the SAML Signing Certificates section.
  5. To register the new certificate, complete the following steps:
    1. Select View IdP metadata from the certificate's Actions menu.
    2. Copy the X509Certificate value of the certificate and retain it for a future step. For example, if your metadata contains <ds:X509Certificate>MIID...CF/c</ds:X509Certificate>, copy MIID...CF/c.
    3. Select View Setup Instructions from the sidebar.
    4. Copy the provided command from the Update the signing certificate for an already federated domain section.
    5. Replace <NewCertificate> in the command with the X509Certificate value that you copied from the IdP metadata. The certificate value must not contain any spaces.
    6. Enter and run the command in a PowerShell terminal. If the command results in an error, correct the error and repeat this set of instructions. Should your attempts continue to fail, you can use Update-MgDomainFederationConfiguration to restore your configuration using the backup that you created before starting this task.
  6. Select Activate from the Actions menu of your new signing certificate. This changes the status of the new certificate to Active and sets the status of the previous certificate to Inactive. SSO operations for the app instance now use the new certificate. If desired, you can delete the old certificate by selecting Delete from its Actions menu.
  7. Wait five minutes for the certificate to take effect. Verify that SSO is functioning correctly by signing in to an Office 365 app with a federated user.