In a connection where Microsoft authenticates users in Google as the central identity provider, you may be required to update the certificate since it has an expiration time.
To do this, follow these steps:
- Access the Microsoft 365 app at https://admin.google.com/ac/apps/unified > Service provider details > Manage certificates
- Delete the expired certificate if applicable, generate a new certificate, and download or copy it
- Remove line breaks, as well as the lines
-----BEGIN CERTIFICATE-----,-----END CERTIFICATE----- - In PowerShell, check if you have the updated Microsoft Graph module using:
Install-Module Microsoft.Graph -Scope CurrentUserUpdate-Module Microsoft.Graph -Scope CurrentUser
- Connect using:
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
-
Run the following lines in sequence; you can paste them all at once in PowerShell:
$domain = "example.com" $rawCert = "PASTE_CLEANED_CERTIFICATE_HERE" $cleanCert = $rawCert.Replace("`n","").Replace("`r","").Replace(" ","") Get-MgDomainFederationConfiguration -DomainId $domain | ForEach-Object { Update-MgDomainFederationConfiguration -DomainId $domain -InternalDomainFederationId $_.Id -SigningCertificate $cleanCert } - Verify if the new certificate has been applied using:
Get-MgDomainFederationConfiguration -DomainId "yourdomain.com" | Select-Object -ExpandProperty SigningCertificate
- Returning to the Microsoft 365 app at https://admin.google.com/ac/apps/unified > Service provider details, make sure the new certificate is selected and saved
- Access the Microsoft 365 app at https://admin.google.com/ac/apps/unified > Autoprovisioning, and perform the authorization or reauthorization process in App authorization
- Test the integration using the TEST SAML LOGIN button