Migrate AD FS 2 to AD FS 3 and How to update Office365 Federation

It’s been a while since the last post. Currently, the writer is involved in multi-national Cloud projects.

My colleague Marc Terblanche posted an awesome blog post on how to deploy AD FS 3.0 and WAP highly available using only PowerShell under 10 minutes.

After we have AD FS 3 and WAP running in new environment. We need to get the current SSL cerfificate used  by AD FS 2 and export it to new AD FS 3

Exported the SSL certificate used by the current AD FS 2 server:

1. Go to AD FS 2 server. Check the current SSL certificate by executing this command: get-adfssslcertificate

2. Export the SSL certificate with certificate thumbprint as shown by get-adfssslcertificate command. Go to mmc.exe, add certificates > Choose Computer Account > Local Account> Export


3. After export the certificate to *.PFX and get the password. Import the certificate to new AD FS 3 server certificate local store.
Run cmdlet below to set imported SSL certificate to AD FS 3 server:
Set-AdfsSSLcertificate -Thumbprint “xxxxxxxxxx”
Check whether the certificate is successfully updated
4. Install Azure AD Module. Follow TechNet link for step by step Connect to MS Online services on new AD FS 3 server.
5. Connect AD FS 3 server with Office365 tenant by using MSOL PS command: Connect-MSOLservice . Use Office365 global admin account and password
6. Run cmdlet : Set-MsolADFSContext -computer ADFS3.wasita.net
     *ADFS3.wasita.net is AD FS 3 server FQDN
7. Run cmdlet below to update the Office365
Update-MsolFederatedDomain -DomainName adfs.wasita.net –SupportMultipleDomain

Note: Use PowerShell to change AD FS SSL certificate, do not use GUI on AD FS Management. Using AD FS Management GUI won’t replace the AD FS certificate. Not sure if this is a bug on AD FS 3.0. Previously we need to change the certificate binding on IIS for AD FS 2



One thought on “Migrate AD FS 2 to AD FS 3 and How to update Office365 Federation

  1. Hi, Thanks for the article – it provided me the guidance I needed. A couple of notes:

    1) get-adfssslcertificate is not a viable cmdlet in 2008 R2, you need to use get-adfscertificate

    2) It is worth noting that you need to load the cmdlets into powershell with Add-PSSnapin Microsoft.Adfs.PowerShell.

    thanks again – Jacob

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.