In a connection where Microsoft authenticates users with Google as the central identity provider, you may be required to update the certificate, since it has an expiration period.
To do this, follow these steps:
- Access the Microsoft 365 application at https://admin.google.com/ac/apps/unified > Service provider details > Manage certificates
- Delete the expired certificate if necessary, generate a new certificate, and download or copy itRemove the line breaks, as well as the lines
-----BEGIN CERTIFICATE-----,-----END CERTIFICATE----- - In PowerShell, check if you have the updated Microsoft Graph module using:
Install-Module Microsoft.Graph -Scope CurrentUserUpdate-Module Microsoft.Graph -Scope CurrentUser
-
Run the following lines in sequence - variables:
$domain = "example.com" $rawCert = "PASTE_CLEANED_CERTIFICATE_HERE" $cleanCert = $rawCert.Replace("`n","").Replace("`r","").Replace(" ","") -
Run the following lines in sequence - connection:
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All" -TenantId "$domain" -
Run the following lines in sequence - inserting the new certificate:
Get-MgDomainFederationConfiguration -DomainId $domain | ForEach-Object { Update-MgDomainFederationConfiguration -DomainId $domain -InternalDomainFederationId $_.Id -SigningCertificate $cleanCert } -
Run the following lines in sequence - validation of the new certificate:
Get-MgDomainFederationConfiguration -DomainId "$domain" | Select-Object -ExpandProperty SigningCertificate - Returning to the Microsoft 365 application at https://admin.google.com/ac/apps/unified > Service provider details, make sure the new certificate is selected and saved
- Access the Microsoft 365 application at https://admin.google.com/ac/apps/unified > Autoprovisioning, and run the authorization or reauthorization process in App authorization
- Test the integration using the TEST SAML LOGIN button