Office 365 Service Certificate Overview

When working on an Office 365 project, a question I often get is: ‘What certificates do I need to successfully…’ :

  • … ensure secured authentication between Office365 and my on-premises users (identity federation)?
  • … establish an Exchange hybrid configuration?
  • … implement Skype for Business?
  • etc.

So let’s provide a clear overview of certificate requirements for all Office 365 related scenarios in this article.

Please note: these certificates are complementary to all already in-place certificates required for on-premises deployments.

Hybrid Identity

Certificate: Security Token Signing
CA: Third party
Used for: Proof of identity of authentication authority
Type: SSL
Usage: Domain validation
Private key exportable: Yes
Subject: federation service name
Subject example: sts.office365man.com
Additional: Must be FQDN, dotless short name subjects aren’t accepted by AD FS

In an AD multi-forest environment, the only subject you need is for federation service name in the domain hosting the AD FS farm.

Exchange Hybrid

Certificate: Hybrid certificate (max. 1 hybrid connection per tenant, so single AD forest)
CA: Third party
Used for: Proof of identity Exchange hybrid server
Type: SSL (multi-domain support: SAN or single domain: SAN or wildcard)
Usage: Domain validation
Private key exportable: Yes
Subject: Server Hybrid URL
Subject example: hybrid.office365man.com

SharePoint Hybrid (Outbound Search)

Certificate: Replace the self-signed SharePoint cerficates per server with the STS certificate
CA: Third party
Used for: Web and Application servers
Type: SSL (SAN or wildcard)
Usage: Domain validation
Private key exportable: Yes
Subject: Security Token Service name
Subject example: *.office365man.com (or i.e. spweb.office365man.com)
Additional: Certificate key must be at least 2048 bits

Device Registration Service (Workplace Join)

Certificate: DRS certificate
CA: Third party
Used for: Enabling workplace join through AD FS
Type: SSL (SAN or wildcard)
Usage: Domain validation
Private key exportable: Yes
Subject: enterpriseregistration.<domain UPN Suffix>
Subject example: enterpriseregistration.office365man.com

Office 365 Services that do not require additional certificates

  • Skype for Business hybrid
  • OneDrive for Business hybrid
  • Azure AD Join
  • Azure AD Connect Health
Leave a reply

Your email address will not be published. Required fields are marked *