Migrate AD FS 2 to AD FS 3 and How to update Office365 Federation

It’s been a while since the last post. Currently, the writer is involved in multi-national Cloud projects.

My colleague Marc Terblanche posted an awesome blog post on how to deploy AD FS 3.0 and WAP highly available using only PowerShell under 10 minutes.

After we have AD FS 3 and WAP running in new environment. We need to get the current SSL cerfificate used  by AD FS 2 and export it to new AD FS 3

Exported the SSL certificate used by the current AD FS 2 server:

1. Go to AD FS 2 server. Check the current SSL certificate by executing this command: get-adfssslcertificate

2. Export the SSL certificate with certificate thumbprint as shown by get-adfssslcertificate command. Go to mmc.exe, add certificates > Choose Computer Account > Local Account> Export

3. After export the certificate to *.PFX and get the password. Import the certificate to new AD FS 3 server certificate local store.
Run cmdlet below to set imported SSL certificate to AD FS 3 server:
Set-AdfsSSLcertificate -Thumbprint “xxxxxxxxxx”
Check whether the certificate is successfully updated
Get-AdfsSSLcertificate
4. Install Azure AD Module. Follow TechNet link for step by step Connect to MS Online services on new AD FS 3 server.
5. Connect AD FS 3 server with Office365 tenant by using MSOL PS command: Connect-MSOLservice . Use Office365 global admin account and password
6. Run cmdlet : Set-MsolADFSContext -computer ADFS3.wasita.net
     *ADFS3.wasita.net is AD FS 3 server FQDN
7. Run cmdlet below to update the Office365
Update-MsolFederatedDomain -DomainName adfs.wasita.net –SupportMultipleDomain

Note: Use PowerShell to change AD FS SSL certificate, do not use GUI on AD FS Management. Using AD FS Management GUI won’t replace the AD FS certificate. Not sure if this is a bug on AD FS 3.0. Previously we need to change the certificate binding on IIS for AD FS 2

HAPPY FEDERATING!!