New-Adfs Azure Mfa Tenant Certificate

Module:
adfs
Creates a certificate for the AD FS farm to use to connect to Azure MFA, or returns the currently configured certificate.

Syntax 

New-AdfsAzureMfaTenantCertificate
   -TenantId <String>
   [-Renew <Boolean>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AdfsAzureMfaTenantCertificate cmdlet creates a certificate for an Active Directory Federation Services (AD FS) farm to use to connect to Azure Multi-Factor Authentication (MFA), or returns the currently configured certificate.

The cmdlet looks in the local machine My store for a certificate with Issuer and Subject equal to:

  • CN = <tenant ID>
  • OU = Microsoft AD FS Azure MFA

If it does not find one, it generates it.

Examples

Example 1: Create a certificate and enable Azure MFA on an AD FS farm 

PS C:\> $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
PS C:\> New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
PS C:\> Set-AdfsAzureMfaTenant -TenantId <your tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720

These commands create a certificate for Azure MFA, register the certificate in a tenant, and enable Azure MFA on an AD FS farm.

Example 2: Determine which certificate Azure MFA is using 

PS C:\> New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> -out-file amfacert.cer

After AD FS has been configured for Azure MFA, this command determines which certificate Azure MFA is using.

Required Parameters

-TenantId

Specifies the GUID representation of the Azure AD tenant ID. This can be found in the URL bar of the Azure AD portal, as in this example: https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<tenantID_GUID>/directoryQuickStart

Alternatively, you can use the Login-AzureRmAccount cmdlet to get the tenant ID.

Type: String
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

Optional Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Aliases: cf
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-Renew
Type: Boolean
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type: SwitchParameter
Aliases: wi
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False