In Office 365 environment, AD FS signs its tokens to Microsoft Azure Active Directory to protect the tokens from being tampered with.
This signature can be based on SHA-1 or SHA-256 and since Azure Active Directory now supports tokens signed with SHA-256 algorithm, the change to the new algorithm it is strongly recommended to ensure the highest level of security.
If your configuration is still using the SHA-1 algorithm, in the Office 365 Admin center under Message center you can find a warning to secure the token-signing algorithm to SHA-256.
There are two ways to change the algorithm type in AD FS:
- via AD FS console
- using PowerShell
Change the algorithm via AD FS console
Access the AD FS management console on the primary AD FS server and after expanding the AD FS node click Relying Party Trusts. Right click Microsoft Office 365 Identity Platform and select Properties option.
Select Advanced tab and set Secure hash algorithm field with SHA-256 value.
Click OK to confirm the change.
Change the algorithm using AD FS PowerShell cmdlets
Same change can be done via PowerShell using the following command:
Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' -SignatureAlgorithm 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
No extra configuration is required and this change doesn't impact Office 365 or other Azure AD applications accessibility.
