Web
Analytics Made Easy - StatCounter

Office 365 supports the SHA-256 algorithm for token-signing

office365securefederation01

In Office 365 environment, AD FS signs its tokens to Microsoft Azure Active Directory to protect the tokens from being tampered with.

This signature can be based on SHA-1 or SHA-256 and since Azure Active Directory now supports tokens signed with SHA-256 algorithm, the change to the new algorithm it is strongly recommended to ensure the highest level of security.

If your configuration is still using the SHA-1 algorithm, in the Office 365 Admin center under Message center you can find a warning to secure the token-signing algorithm to SHA-256.

office365securefederation02

There are two ways to change the algorithm type in AD FS:

  • via AD FS console
  • using PowerShell

 

Change the algorithm via AD FS console

Access the AD FS management console on the primary AD FS server and after expanding the AD FS node click Relying Party Trusts. Right click Microsoft Office 365 Identity Platform and select Properties option.

office365securefederation03

Select Advanced tab and set Secure hash algorithm field with SHA-256 value.

office365securefederation04

Click OK to confirm the change.

office365securefederation05

 

Change the algorithm using AD FS PowerShell cmdlets

Same change can be done via PowerShell using the following command:

office365securefederation06

No extra configuration is required and this change doesn't impact Office 365 or other Azure AD applications accessibility.

signature