I’ve got a client with Google Workspace as their IdP, and Microsoft 365 as the service provider, using the identity provided by Workspace.

When setting it all up, the initial SAML certificate that was generated was only valid for 12 months. It’s now a year down the track and I need to update it.

This is a lot easier said than done – there’s literally nowhere in the Entra portal, nor in the Enterprise Application that does the heavy lifting, to update the SAML Certificate.

What’s worse is that all the examples I’ve seen online to update the cert all use the older, and deprecated Set-MsolDomainAuthentication PowerShell command.

Cutting to the chase, here’s how to do it with the up-to-date Microsoft Graph (MgGraph) commands instead. This assumes you’ve already gone into Google Workspace, generated a new certificate for the Web and Mobile App, and downloaded it to your machine.

First, connect to Microsoft Graph and get the Internal Domain Federation ID for your domain:

Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
Get-MgDomainFederationConfiguration -DomainId 'example.com.au'

This will give you a uuid for your domain. Take note of it. Next, concatenate all the lines of base64 text in your certificate onto one line.

Finally, execute the following command to replace the certificate in Entra:

Update-MgDomainFederationConfiguration -InternalDomainFederationId 'your-uuid' -DomainID 'example.com.au' -SigningCertificate "MIIDd..."

Give it a minute or two to settle down after doing this, make sure your new certificate is the primary certificate in Google Workspace and try authenticating again.