New-AdfsAzureMfaTenantCertificate

Creates a certificate for the AD FS farm to use to connect to Azure MFA, or returns the currently configured certificate.

Syntax

New-AdfsAzureMfaTenantCertificate
   -TenantId <String>
   [-Renew <Boolean>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AdfsAzureMfaTenantCertificate cmdlet creates a certificate for an Active Directory Federation Services (AD FS) farm to use to connect to Azure Multi-Factor Authentication (MFA), or returns the currently configured certificate.

The cmdlet looks in the local machine My store for a certificate with Issuer and Subject equal to:

  • CN = <tenant ID>
  • OU = Microsoft AD FS Azure MFA

If it does not find one, it generates it.

Examples

Example 1: Create a certificate and enable Azure MFA on an AD FS farm

PS C:\> $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
PS C:\> New-AzureADServicePrincipalKeyCredential -ObjectId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
PS C:\> Set-AdfsAzureMfaTenant -TenantId <your tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720

These commands create a certificate for Azure MFA, register the certificate in a tenant, and enable Azure MFA on an AD FS farm.

Note

Customers are encouraged to use the newer Azure Active Directory PowerShell 2.0 module. For more information about the v2.0 module, see AzureAD PowerShell 2.0.

Example 2: Determine which certificate Azure MFA is using

$CertInBase64 = New-AdfsAzureMfaTenantCertificate -TenantID
$cert = Security.Cryptography.X509Certificates.X509Certificate2
$cert | Format-List *

After AD FS has been configured for Azure MFA, this command determines which certificate Azure MFA is using and when it expires.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Renew

Renew certificate. Do not use if the certificate has already expired. In this scenario, the existing expired certificate is replaced with a new certificate.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-TenantId

Specifies the GUID representation of the Microsoft Entra tenant ID. This can be found in the URL bar of the Microsoft Entra admin center, as in this example: https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<tenantID_GUID>/directoryQuickStart

Alternatively, you can use the Login-AzureRmAccount cmdlet to get the tenant ID.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False