Regularly Update AD FS Certificates to Prevent Risks
AD FS certificates must be updated twice quickly if compromised or not updated within a year to enhance security.
Plain language
It's crucial to regularly update your Active Directory Federation Services (AD FS) certificates. If these certificates are outdated or compromised, hackers could gain access to your systems, leading to data breaches and unauthorised access to sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Changing CredentialsOfficial control statement
Microsoft AD FS token-signing and encryption certificates are changed twice in quick succession if they are compromised, they are suspected of being compromised or they have not been changed in the past 12 months.
Why it matters
Delayed AD FS certificate updates increase risk of token forgery and unauthorised access if token-signing or encryption certificates are compromised or stale.
Operational notes
Rotate AD FS token-signing and encryption certificates at least every 12 months. If compromise is suspected, perform two rapid successive certificate changes and update relying parties.
Implementation tips
- The IT team should designate a staff member to oversee the health and update schedule of AD FS certificates. They can use a calendar or reminder tool to ensure certificates are checked every few months, so updates happen at least annually.
- Managers should create a policy for everyone involved to follow in case a certificate is suspected of being compromised. This should include immediate notification to the IT team and escalation to management for swift response.
- System administrators must replace compromised or outdated certificates quickly. They should follow a standard procedure that involves backing up the current settings, installing new certificates, and verifying successful implementation through tests.
- The IT lead should regularly train their team on recognising signs of certificate issues. This could include understanding warning messages or abnormal behaviour in system access logs that might suggest a certificate problem.
- Technology supervisors should conduct a quarterly review meeting to go over the status of all organisation certificates. They should discuss any changes needed and assign tasks for those updates to ensure no lapse in security.
Audit / evidence tips
- AskThe certificate management policy document: Ensure it outlines procedures for updating and handling compromised certificates GoodIs a comprehensive, clear policy document with distinct roles and schedules for review and updates
- AskTraining records or transcripts
- AskTo see the IT department's reminder system GoodIs a detailed schedule showing reminders set frequently throughout the year
- GoodIncludes clear documentation of incidents and swift action taken to secure systems
Cross-framework mappings
How ISM-1956 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1956 requires Microsoft AD FS token-signing and encryption certificates to be rotated twice in quick succession when compromised or s... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.26 | ISM-1956 necessitates rotating AD FS token-signing and encryption certificates twice in quick succession when compromise is suspected or ... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.36 | ISM-1956 requires organisations to maintain a recurring AD FS certificate change practice (at least annually) and an accelerated double-r... | |
| Annex A 8.8 | ISM-1956 mandates scheduled and event-driven rotation of AD FS token-signing and encryption certificates to mitigate compromised federati... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.