New-AdfsAzureMfaTenantCertificate
Creates a certificate for the AD FS farm to use to connect to Azure MFA, or returns the currently configured certificate.
Syntax
New-AdfsAzureMfaTenantCertificate
-TenantId <String>
[-Renew <Boolean>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The New-AdfsAzureMfaTenantCertificate cmdlet creates a certificate for an Active Directory Federation Services (AD FS) farm to use to connect to Azure Multi-Factor Authentication (MFA), or returns the currently configured certificate.
The cmdlet looks in the local machine My store for a certificate with Issuer and Subject equal to:
CN = <tenant ID>
OU = Microsoft AD FS Azure MFA
If it does not find one, it generates it.
Examples
Example 1: Create a certificate and enable Azure MFA on an AD FS farm
PS C:\> $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID>
PS C:\> New-AzureADServicePrincipalKeyCredential -ObjectId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
PS C:\> Set-AdfsAzureMfaTenant -TenantId <your tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720
These commands create a certificate for Azure MFA, register the certificate in a tenant, and enable Azure MFA on an AD FS farm.
Note
Customers are encouraged to use the newer Microsoft Graph PowerShell module.
Example 2: Determine which certificate Azure MFA is using
$CertInBase64 = New-AdfsAzureMfaTenantCertificate -TenantID
[Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($CertInBase64))
After AD FS has been configured for Azure MFA, this command determines which certificate Azure MFA is using and when it expires.
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Renew
Renew certificate. Do not use if the certificate has already expired. In this scenario, the existing expired certificate is replaced with a new certificate.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TenantId
Specifies the GUID representation of the Microsoft Entra tenant ID.
This can be found in the URL bar of the Microsoft Entra admin center, as in this example: https://manage.windowsazure.com/contoso.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<tenantID_GUID>/directoryQuickStart
Alternatively, you can use the Login-AzureRmAccount cmdlet to get the tenant ID.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Related Links
Feedback
https://aka.ms/ContentUserFeedback.
Bald verfügbar: Im Laufe des Jahres 2024 werden wir GitHub-Issues stufenweise als Feedbackmechanismus für Inhalte abbauen und durch ein neues Feedbacksystem ersetzen. Weitere Informationen finden Sie unterFeedback senden und anzeigen für