Recently i got this error, AADSTS50008: SAML token is invalid. when signing in to office 365.
When i logged in to AD FS Management console i realised that the token signing certificate was renewed and the old certificate was demoted as the secondary certificate
Various blog post stated that i should run
Update-MsolFederatedDomain -DomainName feddomain.comor
Update-MsolFederatedDomain -SupportMultipleDomain -DomainName feddomain.comI ran the first one because I haven’t found latter (And i was aware of it was multipledomain environment), and suddenly office 365 sign in tried to reach and old turned off federation server. (It might have been this first line that made this happend)
i figuered out how to fix this by running
Set-MsolDomainFederationSettings -DomainName feddomain.com -FederationBrandName "FedDomain Federation Service" -LogOffUri https://fed.feddomain.com/adfs/ls/ -PassiveLogOnUri https://fed.feddomain.com/adfs/ls/
-ActiveLogOnUri https://fed.feddomain.com/adfs/services/trust/2005/usernamemixed -IssuerUri http://fed.feddomain.com/adfs/services/trust/ -MetadataExchangeUri https://fed.feddomain.com/adfs/services/trust/mex but still no luck. Users couldn’t sign in
I tried to run
Update-MsolFederatedDomain -SupportMultipleDomain -DomainName feddomain.comothers also posted that it could be due to timesync errors and suggested to run w32tm /syncnow. Neither helped and i was about to start all over when I suddenly found the right solution.
I had to run a small powershell code before update-msoldomain.;
Set-MsolADFSContext -Computer fedreplace fed with the netbios name of your primary adfs-server.
after that I could use this;
Update-MsolFederatedDomain -SupportMultipleDomain -DomainName feddomain.comand the certificate was updated in office 365.
and the code to verify the setup;
Get-MsolFederationProperty -DomainName feddomain.comWas this site helpful? 
(No Ratings Yet)
Loading...