Just information. I found a statement that metadata update script would not be needed when using AD FS 2.0 or later.
Schedule task to update Azure AD when a change is made to the token signing certificate no longer the recommendation
If you are using AD FS 2.0 or later, Office 365 and Azure AD will automatically update your certificate before it expires. You do not need to perform any manual steps or run a script as a scheduled task. For this to work, both of the following default AD FS configuration settings must be in effect:
- The AD FS property AutoCertificateRollover must be set to True, indicating that AD FS will automatically generate new token signing and token decryption certificates before the old ones expire. If the value is False, you are using custom certificate settings. Go here for comprehensive guidance.
- Your federation metadata must be available to the public internet.