This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 89%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
-Hybrid Azure tenant -Fortiauthenticator MFA(SAML through federated domain in Azure, not in AD)
My MFA broke the other day when I was setting a new configuration. The UI informed me that our current cert to our federated domain is out of date and since I had made changes, it would not allow it to save without a valid cert. I found the new cert and changed it in Fortiauth. Then, I went to go change it for our federated domain and ran the following powershell cmdlets: Get-MSOLDomainFederationSettings
-This showed me the old certificate was definitely still in use and showed my federated domain.
Set-MsolDomainFederationSettings
-Added the new cert and all domain information, no error.
Confirm-MsolDomain
-Error: confirm-Unable to verify this domain because it is used elsewhere in office 365. Remove the verified domain from the other service before adding it here.
Get-MSOLDomainFederationSettings
-Old cert still in place despite Set-MsolDomainFederationSettings giving no error.
Our domain(ie: contoso.com) is federated and verified in our tenant. However, when our tenant was created, they set it as a different name(ie: contosoonline.onmicrosoft.com). I am new to the company but previously, users were given carte blanche to do what they wanted. It seems like someone maybe made a tenant with the federated domain(ie: contoso.onmicrosoft.com). I tried the PowerBI trial trick to get the "rogue tenant"(https://learn.microsoft.com/en-us/entra/identity/users/domains-admin-takeover)"learn.microsoft.com") but it never gave me access and only assigned me back to our current tenant. So now I need to update the certificate at the very least, but also reclaim the tenant. I'm currently sitting on hold for 3 hours with Microsoft support waiting for any assistance, but I'm hoping someone else might have an idea to help me.
Also.. I would like to move our MFA off this and to an Enterprise App(Whoever did this as a federated is on my list) but I can't at this time without breaking everyone.
And we do NOT have a ADFS.
Additional Information: Domain is marked as verified in Azure. Also was TXT and CName verified in M365, but not MX as we have proofpoint for email security and it has to be lower priority.
Waiting 5 hours in call queue and had to end call, so no resolution there.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi @Kay Peek,
Thank you for posting your query on Microsoft Q&A.
Based on your query, I understand that you have an issue while updating the certificate for a federated domain.
As per the description, you have tried updating the federate domain certificate using Confirm-MsolDomain. This command is used to verify the federated domain, that is the reason you have seen the error. If you would like to update the certificate for federated domain, you need to use set commands. Here is the document which helps you in understanding the update of certificates: Set-MsolDomainFederationSettings
Here is the command to check the status of updated certificate:
Set-MsolDomainFederationSettings [-SigningCertificateUpdateStatus <SigningCertificateUpdateStatus>]
Once you update the certificate you can restart the services of federation to check the status accordingly.
If this does not help you, you can also update the certificate using MgGraph:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserInstall-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -ForceGet-InstalledModule Microsoft.GraphUpdate-MgDomainFederationConfiguration -DomainId <String> -InternalDomainFederationId <String> [-SigningCertificate <String>]Restart-Service -Name winmgmt(Name of the service)Here is the referenced document: Update-MgDomainFederationConfiguration
I see you also had a discussion with our service team regarding the admin lost access. If you lost access to the tenant, our team would collect the required information and validates it. Once the validation is done, you will be assisted further in gaining the access back. If your still not resolved, kindly let me know we are happy to assist you from our end.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"