Automated Update of Federation Metadata with Office 365

Another Powershell script from the ADFS team that makes life a little easier.

http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc#content

When the token signing certificate of your home AD FS organization expires, then federation metadata between AD FS and Office 365 falls out of synch. Equally, when changes are made on the Office 365 that require updating the metadata, a similar issue arises. The  script provide by the AD FS team checks the that federation metadata is validated regularly and any changes replicated between the two federating parties.

image 

What does the script do? It calls the Update-MSOLFederatedDomain cmdlet and updates the settings in both the Active Directory Federation Services 2.0 server and Office 365. It also adds an item on the task scheduler queue:

image

It’s worth bearing in mind that the password policy that is being applied to your organization (Enterprise or Standard O365) will render the script unusable in the event of a password change on either the O365 side with the account you specify and the Domain side with the user account used to initiate the scheduled task. It is possible to create service accounts to do this on both sides. However, I’d consider the security consequences of such a change before automatically doing so. This can be done on the O365 side with an Office 365 standard account via the Set-MSOLUser cmdlet. For example,

Set-MSOLUser –identity user@mydomain.com –PasswordNeverExpires $true –StrongPasswordRequired $true

The account could also technically be a federated account, but I don’t believe that’s a good idea. In the event that the trust is broken, then a federated account won’t be able to connect to MSOL to update the federated domain information Smile 

On the AD side, a more suitable compromise may be found by using a least privilege account for the task service account.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s