Hey all,
My organisation have been using Office 365 and AD FS (as we don't sync passwords) for roughly a year now, and we're reaching the point where the self-signed certs in AD FS for token-signing and token-decrypting are going to automatically renew.
The documentation from Microsoft (and popups in our Office 365 tenant) indicate that we need to run the Update-MsolFederatedDomain command for our federated domains or auth will fail once the certs actually expire. We have a lab environment and thought we'd actually let the certs expire to observe the behaviour, and what we found was that without running in the commandlets, the tenant seemed to pick up the newly-generated certificates and auth continued to work.
This leads me to believe that Office 365 must be reading our federation metadata and saw the certificates re-generate and then switch. If that's the case, do we actually need to run those commandlets at all? If Office 365 is monitoring our federation metadata and taking action when something in that metadata changes (you'd have thought 'by design'), then the documentation is either outdated or incorrect?
Curious what others thoughts are on this.