A while a go I wrote post how to change ADFS certificates part 1 and part 2. Changing ADFS SSL certificate can cause lot’s of problems if not done correctly. From AAD Connect version (1.1.553.0) Microsoft has made this easier than ever and no tricky PowerShell command are needed. Now certificate to ADFS can be changed even ADFS farm isn’t managed via AAD Connect.

Starting point was that SSL certificate from ADFS was expired

Before AAD Connect had this functionality you had to import certificate to local computer store and define it to ADFS & http.sys interface. Now this part has been automated with AAD Connect.

Select – Update AD FS SSL Certificate


Connect to Azure AD with Global Admin credentials


Connect to AD FS servers with local admin credentials to ADFS servers


Specify AD FS servers


When validated connectivity is green


Select SSL certificate file


File was imported to AAD Connect – verify file details before exporting it to ADFS instance


Select and verify server to update


All done, simple as that. Fast and easy deploy.


After change has been made last page of the wizard you can verify AD FS login with end-user account which in my case was successful


From AD FS, I can see that SSL certificate has been changed (expiration date & thumbprint)


Old certificate thumbprint started with ec886… and new one with 2f57….


View from the WAP server where result is the same, certificate changed to all necessary locations and service is up and running normally.



There is one reason more to upgrade your environment to latest AAD Connect version or at least to 1.1.553.0. This feature is very useful and avoids a lot of mistakes with ADFS certificate configuration.