If you are utilizing the AutoCertificateRollover feature of AD FS 2.0,2.1 or 3.0, you do not need to manually replace the Token-Signing certificate. AutoCertificateRollover will create a self-signed Token-Signing certificate for you and set it as the Primary Token-Signing certificate when a time threshold has been met. The new Token-Signing certificate is published in your Federation Metadata, and Relying Party (RP) partners who can consume Federation Metadata will automatically pick up the change whenever they pull your Federation Metadata document. 

Before expiration you see warning at O365 portal of certificate expiration


When ADFS has generated new self-signed certificates those should be uploaded to Azure but in some cases it doesn’t happend. Microsoft says that with ADFS W2012 or higher you don’t need to worry about this anymore. There is metadata update tool available for ADFS 2.0 at script center, download from here.

Schedule task to update Azure AD when a change is made to the token signing certificate no longer the recommendation – Link

If you are using AD FS 2.0 or later, Office 365 and Azure AD will automatically update your certificate before it expires.  You do not need to perform any manual steps or run a script as a scheduled task.  For this to work, both of the following default AD FS configuration settings must be in effect:

  1. The AD FS property AutoCertificateRollover must be set to True, indicating that AD FS will automatically generate new token signing and token decryption certificates before the old ones expire. If the value is False, you are using custom certificate settings.  Go here for comprehensive guidance.
  2. Your federation metadata must be available to the public internet.


When changing certificates the values values you should pay attention are:

  • AutoCertificateRollover: Indicates whether the ADFS should generate new self-signed (token-decrypting and token-signing) certificates automatically. Default: True
  • CertificateGenerationThreshold: Determines when to generate new self-signed certificates (value: days before expiration). Default: 20
  • CertificatePromotionThreshold: Determines how long the newly created self-signed certificates will remain as seconday before promoting them to primary (value: days after generation). Default: 5


The  case and the problem

  • Certificate expires: 02/05/2016
  • New ones were created: 01/16/2016
  • switched from secondary to primary: 01/21/2016

Event from O365 portal disappeared after new certificates had been created and O365 was able to get new certificates.

The actual problem

Our customer had multiple other RP trusts configured to ADFS isntance we decided to change certificates manually and updated metadata same time to O365. Everything worked fine for couple of hours.

Then both of the proxy servers “died”. We received huge amounts of errors with eventID 364 to log and when trying to logon to applications error below showed up from proxy servers.


Ran configuration wizard from both ADFS proxy servers and those worked fine about 1 hour. After 1 hour one of the proxy servers went down and second one quite soon after first one.


was to restart ADFS Service on all servers and “Revoke All the Proxy Servers” from ADFS console, and then re-run the wizard at proxies once again. Microsoft said this is and issue at W2008 R2 and recommendation is to upgrade ADFS instance to W2012 R2.