"AD FS Token-Signing certificate found in a token does not match the certificate registered" error after you run the MOSDAL Support Toolkit

Article translations Article translations
Article ID: 2707369 - View products that this article applies to.
Expand all | Collapse all


After you run the Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit, the Active Directory Federation Services (AD FS) diagnostics log shows the following error:
The AD FS Token-Signing certificate found in a token does not match the certificate registered with the Microsoft Office 365 authentication system.
Note This log is located at Admin_Applications\SSO_Diagnostic_Tests\ADFSDiagnostic.txt.

Additionally, when you sign in to your Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune by using a federated account, login.microsoftonline.com may return an "Organization could not sign you in" error.


This issue occurs if the AD FS token-signing certificate is expired because AD FS certificate auto-renew is deactivated.


To fix this issue, update the AD FS token-signing certificate info in the Azure Active Directory (Azure AD) authentication system. To do this, see the "How to update the configuration of the Office 365 federated domain" section of the following Microsoft Knowledge Base article:
2647048 How to update or repair the settings of a federated domain in Office 365, Azure, or Windows Intune


Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.


Article ID: 2707369 - Last Review: July 9, 2014 - Revision: 20.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
o365 o365a mosdal4.5 o365e o365022013 o365m KB2707369

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com