Table of contents
TLS
TOC
Collapse the table of content
Expand the table of content

New-AdfsAzureMfaTenantCertificate

Brian Lich|Last Updated: 3/8/2017

SYNOPSIS

Creates a certificate for the AD FS farm to use to connect to Azure MFA, or returns the currently configured certificate.

SYNTAX

New-AdfsAzureMfaTenantCertificate -TenantId <String> [-Renew <Boolean>] [-WhatIf] [-Confirm]
 [<CommonParameters>]

DESCRIPTION

The New-AdfsAzureMfaTenantCertificate cmdlet creates a certificate for an Active Directory Federation Services (AD FS) farm to use to connect to Azure Multi-Factor Authentication (MFA), or returns the currently configured certificate.

The cmdlet looks in the local machine My store for a certificate with Issuer and Subject equal to:

  • CN = <tenant ID>
  • OU = Microsoft AD FS Azure MFA

If it does not find one, it generates it.

EXAMPLES

Example 1: Create a certificate and enable Azure MFA on an AD FS farm

PS C:\> $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
PS C:\> New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
PS C:\> Set-AdfsAzureMfaTenant -TenantId <your tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720

These commands create a certificate for Azure MFA, register the certificate in a tenant, and enable Azure MFA on an AD FS farm.

Example 2: Determine which certificate Azure MFA is using

PS C:\> New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> -out-file amfacert.cer

After AD FS has been configured for Azure MFA, this command determines which certificate Azure MFA is using.

PARAMETERS

-Confirm

Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-Renew

Type: Boolean
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-TenantId

Specifies the GUID representation of the Azure AD tenant ID. This can be found in the URL bar of the Azure AD portal, as in this example: https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<tenantID_GUID>/directoryQuickStart

Alternatively, you can use the Login-AzureRmAccount cmdlet to get the tenant ID.

Type: String
Parameter Sets: (All)
Aliases: 

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

Set-AdfsAzureMfaTenant

© 2017 Microsoft