Keep your Federation Trust up-to-date

Published Jan 22 2021 03:03 PM 18.8K Views

Updated on 2/10/2021

Microsoft periodically refreshes certificates in Office 365 as part of our effort to maintain a highly available and secure environment. From Jan 23rd, 2021, we are making a certificate change on our Microsoft Federation Gateway that could affect some customers as detailed in this knowledge base article. Please note that the certificate might be rolled at any time (more information can be found here) which will further enhance security of the environment. The good news is you can easily avoid any disruption.

Who is affected?

This certificate change can affect any customer that is using the Microsoft Federation Gateway (MFG). If you are in a hybrid configuration that relies on a Federation Trust established with MFG in the Exchange on-premises organization or if you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker, you need to take action.

When will the change occur?

The change is scheduled to occur at any time going forward. You must take action to avoid any disruptions.

What type of issues will you face if no action is taken?

If you don't take action, you won't be able to use services that rely on the Microsoft Federation Gateway. For example:

  • A cloud user might not be able to see free/busy information for an on-premises user and vice versa.
  • MailTips might not work in a Hybrid configuration.
  • Cross-premises free/busy might stop working between organizations that have organization relationships in place.

Additionally, if you run the Test-FederationTrust cmdlet, you might receive an error message that indicates that the Delegation token has validation issues. For example, you receive an error message that resembles the following:

Id : TokenValidation
Type : Error
Message : Failed to validate delegation token.

And, you might receive one of the following error messages in the Exchange Web Services (EWS) responses:

An error occurred when processing the security tokens in the message
Autodiscover failed for email address User@contoso.com with error System.Web.Services.Protocols.SoapHeaderException: An error occurred when verifying security for the message

What action should you take?

You can use the following command on your Exchange Server to create a scheduled task to run the update process daily. This is how we recommend you keep your Federation Trust constantly updated. This will prevent you from being negatively affected by future metadata changes.

Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010; $fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata

If you prefer to not use a scheduled task, you can manually run the command at any time to refresh the metadata. This is not recommended due to refresh frequency, and manually updating this would be quite cumbersome.

Get-Federationtrust | Set-FederationTrust –RefreshMetadata

Please note that we have seen some situations where this command should be run twice to ensure it is successful.

The Exchange Hybrid Team

25 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2088788%22%20slang%3D%22en-US%22%3EKeep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2088788%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20periodically%20refreshes%20certificates%20in%20Office%20365%20as%20part%20of%20our%20effort%20to%20maintain%20a%20highly%20available%20and%20secure%20environment.%20From%20Jan%2023%3CSUP%3Erd%3C%2FSUP%3E%2C%202021%2C%20we%20are%20making%20a%20certificate%20change%20on%20our%20Microsoft%20Federation%20Gateway%20every%20six%20weeks%20that%20could%20affect%20some%20customers%20as%20detailed%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fexchange%2Ftroubleshoot%2Fcalendars%2Ffreebusy-lookups-stop-working%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20knowledge%20base%20article%3C%2FA%3E.%20The%20good%20news%20is%20you%20can%20easily%20avoid%20any%20disruption.%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EWho%20is%20affected%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EThis%20certificate%20change%20can%20affect%20any%20customer%20that%20is%20using%20the%20Microsoft%20Federation%20Gateway.%20If%20you%20are%20in%20a%20hybrid%20configuration%3CSTRONG%3E%26nbsp%3Bor%20%3C%2FSTRONG%3Eif%20you%20are%20sharing%20free%2Fbusy%20information%20between%20two%20different%20on-premises%20organizations%20using%20the%20Microsoft%20Federation%20Gateway%20as%20a%20trust%20broker%2C%20you%20need%20to%20take%20action.%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EWhen%20will%20the%20change%20occur%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EAfter%20the%20change%20is%20scheduled%20to%20occur%20every%20six%20weeks.%20You%20must%20take%20action%20before%20then%20to%20avoid%20any%20disruption.%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EWhat%20type%20of%20issues%20will%20you%20face%20if%20no%20action%20is%20taken%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20don't%20take%20action%2C%20you%20won't%20be%20able%20to%20use%20services%20that%20rely%20on%20the%20Microsoft%20Federation%20Gateway.%20For%20example%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EA%20cloud%20user%20might%20not%20be%20able%20to%20see%20free%2Fbusy%20information%20for%20an%20on-premises%20user%20and%20vice%20versa.%3C%2FLI%3E%0A%3CLI%3EMailTips%20might%20not%20work%20in%20a%20Hybrid%20configuration.%3C%2FLI%3E%0A%3CLI%3ECross-premises%20free%2Fbusy%20might%20stop%20working%20between%20organizations%20that%20have%20organization%20relationships%20in%20place.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAdditionally%2C%20if%20you%20run%20the%26nbsp%3BTest-FederationTrust%26nbsp%3Bcmdlet%2C%20you%20receive%20an%20error%20message%20that%20indicates%20that%20the%20Delegation%20token%20has%20validation%20issues.%20For%20example%2C%20you%20receive%20an%20error%20message%20that%20resembles%20the%20following%3A%3C%2FP%3E%0A%3CP%20class%3D%22code%22%3EId%20%3A%20TokenValidation%3CBR%20%2F%3EType%20%3A%20Error%3CBR%20%2F%3EMessage%20%3A%20Failed%20to%20validate%20delegation%20token.%3C%2FP%3E%0A%3CP%3EAnd%2C%20you%20might%20receive%20one%20of%20the%20following%20error%20messages%20in%20the%26nbsp%3B%3CSTRONG%3EExchange%20Web%20Services%20(EWS)%3C%2FSTRONG%3E%26nbsp%3Bresponses%3A%3C%2FP%3E%0A%3CP%20class%3D%22code%22%3EAn%20error%20occurred%20when%20processing%20the%20security%20tokens%20in%20the%20message%3CBR%20%2F%3EAutodiscover%20failed%20for%20email%20address%20User%40contoso.com%20with%20error%20System.Web.Services.Protocols.SoapHeaderException%3A%20An%20error%20occurred%20when%20verifying%20security%20for%20the%20message%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EWhat%20action%20should%20you%20take%3F%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20the%20following%20command%20on%20your%20Exchange%20Server%20to%20create%20a%20scheduled%20task%20to%20run%20the%20update%20process%20daily.%20This%20is%20how%20we%20recommend%20you%20keep%20your%20Federation%20Trust%20constantly%20updated.%20This%20will%20prevent%20you%20from%20being%20negatively%20affected%20by%20future%20metadata%20changes.%3C%2FP%3E%0A%3CP%20class%3D%22code%22%3ESchtasks%20%2Fcreate%20%2Fsc%20Daily%20%2Ftn%20FedRefresh%20%2Ftr%20%22C%3A%5CWindows%5CSystem32%5CWindowsPowerShell%5Cv1.0%5Cpowershell.exe%20-version%202.0%20-command%20Add-PSSnapIn%20Microsoft.Exchange.Management.PowerShell.E2010%3B%20%24fedTrust%20%3D%20Get-FederationTrust%3BSet-FederationTrust%20-Identity%20%24fedTrust.Name%20-RefreshMetadata%3BSet-FederationTrust%20-Identity%20%24fedTrust.Name%20-RefreshMetadata%22%20%2Fru%20System%3C%2FP%3E%0A%3CP%3EIf%20you%20prefer%20to%20not%20use%20a%20scheduled%20task%2C%20you%20can%20manually%20run%20the%20command%20at%20any%20time%20to%20refresh%20the%20metadata.%20If%20you%20choose%20a%20manual%20option%2C%20it%20will%20be%20cumbersome%20as%20you%20will%20have%20to%20keep%20track%20of%20this%20task%20every%20six%20weeks%20or%20run%20it%20daily.%3C%2FP%3E%0A%3CP%20class%3D%22code%22%3EGet-Federationtrust%20%7C%20Set-FederationTrust%20%E2%80%93RefreshMetadata%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Hybrid%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2088788%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2012pt%3B%20line-height%3A%20107%25%3B%20font-family%3A%20Helvetica%2C%20sans-serif%3B%22%3EMicrosoft%20periodically%20refreshes%20certificates%20in%20Office%20365%20as%20part%20of%20our%20effort%20to%20maintain%20a%20highly%20available%20and%20secure%20environment.%20From%20Jan%2023%3CSUP%3Erd%3C%2FSUP%3E%2C%202021%2C%20we%20are%20making%20a%20certificate%20change%20on%20our%20Microsoft%20Federation%20Gateway%20every%20six%20weeks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2088788%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ehybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20'n%20Tricks%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etroubleshooting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093202%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093202%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20a%20stupid%20question%2C%20but%20I%20would%20like%20to%20confirm%20-%20if%20the%20organization%20has%20hybrid%20connection%20and%20utilizes%20the%20intra-organization%20connector%20(IOC)%20for%20the%20free%2Fbusy%20information%20-%20is%20this%20organization%20impacted%20by%20the%20information%20in%20this%20article%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20assume%20its%20not%20affected%2C%20because%20as%20described%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fdemystifying-hybrid-free-busy-what-are-the-moving-parts%2Fba-p%2F607704%22%20target%3D%22_self%22%3Earticle%3C%2FA%3E%20in%20case%20IOC%20is%20used%20then%20the%20on-prem%20Exchange%20goes%20to%20Azure%20ACS%20OAuth%20Endpoint%20to%20get%20the%20delegation%20token.%20In%20that%20case%20I%20would%20not%20need%20to%20setup%20the%20scheduled%20task%20suggested%20here.%3C%2FP%3E%3CP%3EIn%20case%20organization%20relationships%20are%20being%20used%20and%20IOC%20is%20%3CU%3E%3CSTRONG%3Enot%3C%2FSTRONG%3E%3C%2FU%3E%20used%20then%20on-prem%20Exchange%20goes%20to%20MFG%20and%20then%20the%20organization%20would%20be%20impacted%20by%20the%20information%20of%20this%20article.%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20confirm%20if%20this%20assumption%20is%20correct.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093313%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F941323%22%20target%3D%22_blank%22%3E%40Shmeker%3C%2FA%3E%26nbsp%3B%2Cthat%20is%20correct.%20If%20IntraOrganization%20Connectors%20are%20present%20and%20enabled%20on%20both%20sides%20and%20having%20the%20required%20domains%20set%20on%20them%2C%20then%20Hybrid%20F%2FB%20requests%20will%20be%20using%20IOCs%20%2F%20OAuth%20between%20on-premises%20and%20cloud.%26nbsp%3B%20However%2C%20there%20are%20other%20(Hybrid)%20functionalities%20that%20rely%20on%20the%20Federation%20Trust%20and%20Organization%20Relationships%20(mailtips%2C%20cross-premises%20archive%20access%20in%20OWA)%20and%20cross-premises%20Free%2FBusy%20for%20Exchange%20Organizations%20that%20are%20federated%20with%20MFG%20and%20using%20Organization%20Relationships%20for%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093638%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093638%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20this%20be%20run%20in%20two%20data%20centres%20as%20the%20same%20time%20to%20help%20with%20DR%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093721%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093721%22%20slang%3D%22en-US%22%3E%3CP%3EBe%20careful%20of%20using%20the%20scheduled%20task%20creation%20command%20listed%20here%20and%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fexchange%2Ftroubleshoot%2Fcalendars%2Ffreebusy-lookups-stop-working%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fexchange%2Ftroubleshoot%2Fcalendars%2Ffreebusy-lookups-stop-working%3C%2FA%3E.%20On%20our%20Exchange%202019%20server%20the%20command%20line%20%22C%3A%5CWindows%5CSystem32%5CWindowsPowerShell%5Cv1.0%5Cpowershell.exe%20-version%202.0%20-command%20Add-PSSnapIn%20Microsoft.Exchange.Management.PowerShell.E2010%22%20gives%20you%20%22Version%20v2.0.50727%20of%20the%20.NET%20Framework%20is%20not%20installed%20and%20it%20is%20required%20to%20run%20version%202.0%20of%20Windows%20PowerShell.%22%20If%20you%20cut%20out%20the%20%22-version%202.0%22%20it%20works%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093722%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093722%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERunning%20the%20scheduled%20task%20(Windows%20Server%202016)%20results%20in%204294901760%20code%20(0xFFFF0000).%20As%20a%20workaround%2C%20I%20pasted%20the%20commands%20to%20a%20ps1%20file%20and%20modified%20the%20action%20to%20run%20the%20ps1%20script%20-%20it%20appears%20to%20be%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093748%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093748%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395212%22%20target%3D%22_blank%22%3E%40Mirela_Buru%3C%2FA%3E-%20Thank%20you%20very%20much%20for%20the%20feedback.%20Yes%2C%20you%20are%20right%2C%20it%20is%20not%20only%20the%20hybrid%20free-busy%20requests%20and%20there%20are%20other%20functionalities%20that%20I%20didn%60t%20consider%20at%20first%20look.%3C%2FP%3E%3CP%3EIn%20that%20case%20the%20suggested%20scheduled%20task%20needs%20to%20created%20also%20in%20organizations%20which%20are%20running%20hybrid%20configuration%20and%20are%20using%20the%20IOC%20because%20of%20the%20other%20functionalities.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094095%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094095%22%20slang%3D%22en-US%22%3E%3CP%3Elooking%20at%20the%20command%20to%20setup%20the%20scheduled%20task%20it%20looks%20like%26nbsp%3BSet-FederationTrust%20is%20been%20run%20twice%20is%20this%20the%20case%20and%20why%20dose%20it%20need%20to%20be%20run%20twice%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094245%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094245%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F941499%22%20target%3D%22_blank%22%3E%40DavidH38%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3Bcorrect%2C%20we%20recommend%20running%20the%20command%20twice.%20This%20is%20more%20a%20precautious%20method%20to%20make%20sure%20we%20update%20both%20the%20on-premises%20trust%E2%80%99s%20TokenIssuerCertificate%20and%20TokenIssuerPrevCertificate.%20You%20would%20see%20in%20Test-FederationTrust%20error%20if%20one%20is%20(still)%20expired.%20Additionally%2C%20you%20can%20run%20Get-FederationTrust%20%7CFL%20and%20Test-FederationTrust%20before%20and%20after%20running%20-RefreshMetadata%20to%20see%20in%20real%20time%20the%20values%20or%20error%20message%20changed%20for%20each.%20If%20there%20is%20no%20need%20to%20change%2C%20the%20cmdlet%20wouldn't%20update%20anything%20on%20both%20TokenIssuerPrevCertificate%20and%20TokenIssuerCertificate.%20It%20is%20harmless%20if%20you%20run%20it%20twice.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094300%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395212%22%20target%3D%22_blank%22%3E%40Mirela_Buru%3C%2FA%3E%26nbsp%3BI%20would%20like%20to%20point%20out%20that%20you%20have%20a%20missing%20process%20around%20Federation%20Trust.%26nbsp%3B%20That%20is%20-%20there's%20no%20official%20way%20to%20clean%20off%20the%20old%20expired%20Federation%20Delegation%20certificate.%26nbsp%3B%20You%20can%20use%20ADSI%20Edit%2C%20which%20is%20an%20unsupported%20and%20undocumented%20process.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Frenew-the-federation-certificate-exchange-2013-help%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EThis%20Exchange%202013%20process%3C%2FA%3E%20is%20all%20that%20there%20is%20for%20guidance%20on%20updating%20the%20certificate.%26nbsp%3B%20There%20is%20nothing%20for%20how%20to%20get%20rid%20of%20the%20old%20certificate.%26nbsp%3B%20I've%20seen%20in%20two%20separate%20environments%20how%20deleting%20the%20old%20cert%20from%20the%20servers%20and%20from%20AD's%20Configuration%20partition%20via%20ADSI%20Edit%2C%20results%20in%20the%20certificate%20ghostily%20coming%20back%20into%20the%20Exchange%20Admin%20Center%20as%20%22invalid%22%20and%20causing%20notifications%20about%20being%20expired.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20this%20blog%20post%20-%206%20weeks%20is%20pretty%20short%20notice.%26nbsp%3B%20On%20top%20of%20that%2C%20having%20no%20clean%20way%20to%20do%20away%20with%20the%20old%20Federation%20Delegation%20certificate%20is%20just%20no%20good.%26nbsp%3B%20%26nbsp%3BI%20raised%20the%20latter%20issue%20in%20the%20past%20when%20the%20linked%20Docs%20article%20I%20gave%20above%20was%20editable%20via%20GitHub%2C%20and%20was%20shut%20down%20because%20the%20ADSI%20process%20is%20not%20official.%26nbsp%3B%20It%20seems%20like%20right%20now%20is%20the%20perfect%20time%20for%20you%20to%20double%20back%20and%20make%20a%20proper%20process%20for%20the%20old%20cert%20removal%2C%20while%20you%20have%20this%20upcoming%20change%20in%206%20weeks%20that%20is%20in%20this%20general%20realm%20anyway.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094472%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094472%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3Bseems%20you%20are%20talking%20about%20different%20certificates%20%2F%20things%20here.%3C%2FP%3E%0A%3CP%3EThis%20article%20is%20related%20to%20the%20Token%20Signing%20Certificates%20in%20Office%20365%20%2F%20Microsoft%20Federation%20Gateway%20platform%2C%20certificate%20which%20is%20renewed%20every%20six%20weeks%20by%20Microsoft%2C%20issuer%20being%20%22Live%20ID%20STS%20Signing%20Public%20Key%22.%20This%20certificate%20you%20find%20it%20in%20Get-FederationTrust%20%7CFL%20Token*Certificate.%20Microsoft%20uses%20this%20certificate%20to%20sign%20Delegated%20Tokens%20for%20Exchange%20Organization%20federated%20with%20MFG.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20one%20mentioned%20by%20you%20where%20you%20have%20to%20renew%20%2F%20replace%20in%20a%20Federation%20Trust%20is%20the%20OrgCertificate%20in%20Get-FederationTrust%20this%20one%20has%20a%20validity%20of%205%20years.%20This%20is%20a%20self%20signed%20certificate%20that%20the%20on-premises%20exchange%20server%20is%20issuing%20and%20assigned%20to%20the%20Federation%20Trust.%20This%20one%20you%20can%20find%20it%20in%20Get-ExchangeCertificate%20%7C%20where%20%7B%24_.Services%20-like%20%22*F*%22%7D%20and%20it%20is%20on%20Get-FederationTrust%20%7C%20fl%20Org*certificate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094574%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094574%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395212%22%20target%3D%22_blank%22%3E%40Mirela_Buru%3C%2FA%3E%26nbsp%3BI%20know%20we're%20talking%20about%20two%20different%20certificates%20here.%20I%20am%20just%20taking%20this%20opportunity%20to%20raise%20the%20issue%20I%20described%2C%20since%20it%20is%20relatively%20related%20to%20the%20general%20topic%20that%20is%20Federation%20Trust.%26nbsp%3B%20To%20me%2C%20if%20you're%20making%20innovations%20in%20this%20area%20(such%20as%20introducing%20a%206-week%20turnover%20for%20the%20token%20signing%20certificate%20in%20O365%20%2F%20MFG)%2C%20it%20makes%20sense%20to%20take%20the%20time%20to%20close%20the%20loop%20on%20the%20other%20issue%20that%20I've%20raised.%26nbsp%3B%20So%20I%20will%20continually%20raise%20the%20issue%20until%20it%20gets%20the%20TLC%20is%20deserves%2C%20which%20is%20a%20proper%2C%20supported%20process%20to%20remove%20the%20expired%20OrgCertificate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094858%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094858%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B%2C%20for%20this%20particular%20issue%20(not%20related%20to%20this%20update)%20I%20would%20suggest%20to%20give%20this%20feedback%20on%20UserVoiceoffice365.uservoice.com.%20Depending%20on%20the%20need%20and%20future%20product%20updates%2C%20Engineering%20team%20will%20decide%20if%20to%20take%20action%20or%20not%20on%20it.%20It%20is%20known%20that%20we%20cannot%20delete%20a%20certificate%20referenced%20by%20the%20Federation%20Trust%20(%3CSPAN%3EGet-ExchangeCertificate%20%7C%20where%20%7B%24_.Services%20-like%20%22*F*%22%7D%20and%20it%20is%20on%20Get-FederationTrust%20%7C%20fl%20Org*certificate)%3C%2FSPAN%3E.%20And%20once%20the%20current%20Org%20certificate%20is%20expired%2C%20you%20need%20to%20delete%20and%20recreate%20the%20trust%20as%20per%20current%20design.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2094895%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2094895%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395212%22%20target%3D%22_blank%22%3E%40Mirela_Buru%3C%2FA%3E%26nbsp%3BI%20will%20go%20away%20from%20here%2C%20(not%20doing%20a%20user%20voice%20though).%26nbsp%3B%20But%20first%2C%20I%20can't%20not%20clarify%20something.%26nbsp%3B%20It%20is%20AFTER%20you've%20already%20renewed%20the%20org%20certificate%20that%20I'm%20referring%20to.%26nbsp%3B%20Maybe%20what%20you%20are%20telling%20me%20is%20that%20we%20need%20to%20nullify%20the%26nbsp%3BOrgPrevPrivCertificate%26nbsp%3Bproperty%20on%20the%20Federation%20Trust%3F%26nbsp%3B%20That%20is%20the%20other%20part%20of%20the%20undocumented%20%2F%20unsupported%20process%20which%20I%20was%20alluding%20earlier.%26nbsp%3B%20You%20blank%20that%2C%20and%20then%20manually%20cleanup%20by%20deleting%20the%20old%20cert%20from%20all%20the%20Exchange%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22current%20design%22%20does%20not%20have%20a%20solution%20for%20when%20the%20certificate%20specified%20in%20the%20OrgPrevPrivCertificate%20has%20expired.%26nbsp%3B%20When%20it%20happens%2C%20the%20Federation%20Trust%20does%20not%20have%20to%20be%20rebuilt.%26nbsp%3B%20But%20you%20will%20get%20notifications%20in%20ECP%20and%20in%20Event%20Viewer%20that%20the%20certificate%20has%20expired.%26nbsp%3B%20Here's%20an%20example%20of%20real%20life%20customers%20experiencing%20the%20issue%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2Ff5349498-df20-4cea-a565-bd544ed56b0a%2Fhow-to-remove-previous-federation-gateway-certificate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2Ff5349498-df20-4cea-a565-bd544ed56b0a%2Fhow-to-remove-previous-federation-gateway-certificate%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2097182%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097182%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20must%20be%20run%20it%20on%20all%20Exchange%20servers%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2097531%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097531%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20it's%20worth%20to%20mention%20that%20newer%20versions%20of%20HCW%26nbsp%3B%3CSPAN%3Ewill%20no%20longer%20enable%20Federation%20Trust%20by%20default%20for%20all%20installations.%20Instead%2C%20HCW%20will%20only%20enable%20Federation%20Trust%20if%20there%20are%20Exchange%202010%20servers%20on%20premises.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20could%20result%20in%20some%20confusion%20for%20admins%20that%20will%20expect%20some%20data%20from%20the%20Get-FederationTrust%20command.%3C%2FP%3E%3CP%3EMy%20two%20cents%3C%2FP%3E%3CP%3EFabrizio%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2097936%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2097936%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F243338%22%20target%3D%22_blank%22%3E%40Fabrizio%20Berton%3C%2FA%3E%26nbsp%3B%2C%20you%20are%20correct%2C%20that%20change%2C%20related%20to%20HCW%20not%20configuring%20federation%20trust%20automatically%20anymore%20has%20been%20mentioned%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2020-significant-update-to-hybrid-configuration-wizard%2Fba-p%2F1238753%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2020-significant-update-to-hybrid-configuration-wizard%2Fba-p%2F1238753%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20applies%20to%20all%20Exchange%20organizations%20who%20established%20a%20federation%20trust%20with%20MFG%20(manually%20or%20automatically%20via%20HCW%20when%20we%20have%20an%20Exchange%202010%20in%20the%20organization).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F762087%22%20target%3D%22_blank%22%3E%40bbzome%3C%2FA%3E%2C%20just%201%20server%20should%20be%20sufficient.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B%2C%20that%20is%20why%20I%20suggested%20to%20mention%20this%20issue%20on%20uservoice.%20By%20design%2C%20we%20cannot%20delete%20any%20certificate%20that%20is%20referenced%20by%20the%20Federation%20Trust%20object%20(current%20or%20previous).%20Recreation%20of%20the%20trust%20or%20pushing%202%20certificates%20would%20allow%20you%20to%20get%20rid%20off%20the%20previous%20expired%20certificate%20but%20not%20sure%20if%20it%20worth%20it%20for%20the%20pop-ups%20issue%20in%20EAC%20for%20previous%20expired%20certificates%20that%20are%20still%20associated%20with%20the%20Federation%20Trust.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2098072%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098072%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285960%22%20target%3D%22_blank%22%3E%40Neil_Flanagan%3C%2FA%3E%26nbsp%3B%2C%20thank%20you%20for%20pointing%20that%20out.%20The%20command%20has%20been%20corrected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2098141%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098141%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395212%22%20target%3D%22_blank%22%3E%40Mirela_Buru%3C%2FA%3E%26nbsp%3BThere%20is%20actually%20no%20UserVoice%20site%20available%20that%20is%20suitable%20for%20me%20to%20place%20my%20request.%26nbsp%3B%20I%20realize%20Exchange%202010%20is%20going%2Fgone%20away%20and%20so%20will%2Fare%20Federation%20Trusts.%26nbsp%3BRecreating%20the%20Federation%20Trust%20can%20be%20disruptive%20to%20users%20and%20(when%20there%20are%20many%20Accepted%20Domains)%20becomes%20a%20lot%20of%20work%20(i.e.%20creating%20public%20DNS%20proof%20records).%26nbsp%3B%20A%20process%20to%20remove%20the%20expired%20certificate%20from%20the%20existing%2C%20otherwise%20fine%20trust%2C%20would%20be%20the%20customer-first%20approach.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fset-authconfig%3Fview%3Dexchange-ps%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESet-AuthConfig%2C%3C%2FA%3E%26nbsp%3Byou%20can%20see%20that%20there%20is%20an%20included%20parameter%20-ClearPreviousCertificate.%26nbsp%3B%20That%20is%20exactly%20what%20would%20have%20been%20nice%20to%20have%20included%20for%20Set-FederationTrust.%26nbsp%3B%20I%20realize%20it's%20too%20late%20to%20ask%20for%20Set-FederationTrust%20to%20be%20updated%2C%20especially%20in%20Exchange%20versions%20older%20than%20Exchange%202019.%26nbsp%3B%20In%20place%20of%20that%2C%20some%20kind%20of%20similar%20blog%20post%20to%20this%20one%2C%20sharing%20a%20well-working%20solution%2C%20would%20be%20sufficient.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20you%20can%20agree%20that%20this%20blog%20post%20is%20at%20least%20loosely%20related%20to%20the%20topic%20I'm%20referring%20to.%26nbsp%3B%20Every%20organization%20that%20has%20had%20a%20Federation%20Trust%20created%20more%20than%205%20years%20ago%20faces%20this%20issue%2C%20with%20an%20expired%20certificate%20on%20every%20Exchange%20server%2C%20equaling%20one%20repetitive%20notification%20per%20server.%26nbsp%3B%20It's%20messy%20and%20noisy%2C%20I'm%20not%20just%20making%20it%20up%20or%20being%20picky.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108225%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108225%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395212%22%20target%3D%22_blank%22%3E%40Mirela_Buru%3C%2FA%3E%26nbsp%3BIs%20there%20a%20specific%20property%20that%20we%20could%20reference%20to%20validate%20if%20data%20has%20been%20changed%20or%20updated%20after%20the%20scheduled%20task%20is%20created%3F%20Looking%20to%20be%20able%20to%20not%20only%20schedule%20task%20but%20confirm%20that%20it%20is%20actually%20updating%20the%20metadata%20when%20a%20change%20is%20made.%20Will%20a%20property%20from%20the%20output%20of%20Get-FederationTrust%20like%20(Guid%2CWhenChanged%2CTokenIssureRef%2CThumbprint)%20change%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108793%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108793%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B%2C%20I%20understand%20this%20can%20be%20an%20annoying%20issue.%20And%20I%20also%20understand%20that%20we%20are%20slowly%20moving%20away%20from%20DAuth%20to%20OAuth%20and%20there%20might%20be%20no%20interest%20in%20making%20this%20easier.%20I%20suggested%20the%202%20workarounds%20as%20the%20only%20ones%20I%20can%20think%20of%20now.%20Also%2C%20if%20I%20remember%20correctly%2C%20If%20you%20recreate%20the%20federation%26nbsp%3B%20trust%20with%20the%20same%20(current)%20federation%20trust%20certificate%2C%20it%20won't%20be%20needed%20to%20add%20new%20DNS%20records%20for%20domain%20proof.%20Or%20if%20you%20push%202%20up%20to%20date%20certificates%20in%20Federation%20Trust%2C%20then%20this%20should%20be%20feasible%20to%20allow%20you%20discard%20the%20expired%20one.%20If%20you%20cannot%20post%20this%20on%20uservoice%2C%20you%20might%20be%20able%20to%20give%20feedback%20on%20that%20docs%20page%20with%20renew%2Freplace%20certificate%20it%20but%20this%20will%20probably%20be%20just%20a%20by%20design%20statement%20that%20won't%20actually%20give%20you%20a%20solution.%3CBR%20%2F%3EHowever%2C%20I%20disagree%20that%20this%20issue%20you%20highlighted%20is%20related%20to%20this%20specific%20topic%20regarding%20Token%20signing%20certificate%20rotation%20in%20MFG%20and%20I%20believe%20it%20might%20cause%20confusion%20amongst%20readers%20on%20what%20certificates%20we%20are%20referring%20to.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108797%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F946749%22%20target%3D%22_blank%22%3E%40Chris_Owens%3C%2FA%3E%26nbsp%3B%2C%20the%20easy%20way%20to%20check%20this%20is%20by%20looking%20at%20the%20Certificates%20thumbprints%20(and%20valid%20dates)%20before%20and%20after%20Refresh%20Metadata%20and%20at%20the%20Test-FederationTrust%20Verbose%20output%20to%20see%20the%20certificate%20thumbprints%20used%20by%20MFG.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20giving%20an%20example%20below%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Mirela_Buru_0-1611994150771.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250731i677964051B628C2A%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Mirela_Buru_0-1611994150771.jpeg%22%20alt%3D%22Mirela_Buru_0-1611994150771.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBEFORE%20Refresh%20Metadata%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Mirela_Buru_1-1611994198003.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250732iA0E272EF0FB377B2%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Mirela_Buru_1-1611994198003.jpeg%22%20alt%3D%22Mirela_Buru_1-1611994198003.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAFTER%20RefreshMetadata%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Mirela_Buru_2-1611994287749.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250733i24B75D5EC4DC3383%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Mirela_Buru_2-1611994287749.jpeg%22%20alt%3D%22Mirela_Buru_2-1611994287749.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108838%22%20slang%3D%22en-US%22%3ERe%3A%20Keep%20your%20Federation%20Trust%20up-to-date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108838%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395212%22%20target%3D%22_blank%22%3E%40Mirela_Buru%3C%2FA%3E%26nbsp%3Bthe%20Docs%20page%20is%20closed%20to%20feedback%20(not%20available%20to%20open%20issues%20or%20submit%20a%20pull%20request).%26nbsp%3B%20I%20like%20your%20suggestion%20to%20do%20the%20certificate%20update%20two%20times%20in%20a%20row%20in%20order%20to%20free%20up%20the%20old%20previous%20org%20cert%20so%20it%20can%20be%20removed%20without%20causing%20Test-FederationTrust%20to%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20I%20will%20post%20a%20thread%20outlining%20why%20and%20how%20to%20do%20this.%26nbsp%3B%20However%2C%20I%20do%20agree%20to%20disagree%20that%20these%20two%20topics%20aren't%20related.%26nbsp%3B%20We're%20talking%20about%20federation%20trust%2C%20and%20your%20post%20is%20about%20the%20certificate%20in%20the%20MFG%2FMicrosoft%20end.%26nbsp%3B%20I%20called%20out%20that%2C%20while%20you%20Microsoft%2FExchange%20Team%20are%20concerned%20about%20one%20issue%20around%20federation%20trust%2C%20you've%20turned%20a%20blind%20eye%20to%20this%20other%2C%20more%20prevalent%20issue%20that%20is%20also%20around%20federation%20trust.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20do%20thank%20you%20for%20the%20suggestions%20you%20provided%20here%2C%20but%20am%20still%20happy%20to%20have%20had%20the%20open%20discussion%20with%20you%20right%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Feb 10 2021 10:32 AM
Updated by:
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE