HOW TO: Renew the certificate used by the Azure Back Sync in the Active Roles Synchronization Service (4379660)

The Azure Back Sync in the Active Roles Synchronization Service automatically creates a certificate which will expire in two years. After two years have passed, how is it possible to create and use a new certificate?

Currently, replacing the certificate used by the Azure Back Sync is a manual process.

1. On the Active Roles Synchronization Service host, as a local administrator, run the below PowerShell script in an elevated PowerShell session:

$params = @{
    Type = 'Custom'
    Subject = 'CN=ActiveRoles_AutocreatedAzureBackSyncApp_V2'
    FriendlyName = 'ActiveRoles_AutocreatedAzureBackSyncApp_V2_key'
    KeyUsage = 'DigitalSignature'
    KeyAlgorithm = 'RSA'
    KeyLength = 2048
    CertStoreLocation = 'Cert:\LocalMachine\My'
    NotAfter = (Get-Date).AddYears(2)
}
New-SelfSignedCertificate @params

2. Note the certificate Thumbprint that is generated here, it will be needed later.
3. On the Active Roles Synchronization Service host, run mmc.exe
4. Select File | Add/Remove Snap-in... | Certificates | Computer account then expand Personal | Certificates
5. Find the newly created certificate (the expiration date will be two years from today's date). Right-click and choose All Tasks | Export and then export to a .cer file.
6. Log into the Azure/Entra ID portal as a Global Administrator or Application Administrator
7. Under App Registrations, find the application named ActiveRoles_AutocreatedAzureBackSyncApp_V2
8. Expand Manage | Certificate and secrets
9. Upload the .cer file created in Step 4 above to the application
10. Restart the Active Roles Synchronization Service
11. Open the Active Roles Synchronization Service Console. Under Connections, find the AutoCreated_AzureADConnectorForBackSyncWorkFlow Connector and select Connection Settings
12. Update the Certificate thumbprint with the thumbprint value noted in Step 2 above.
13. Save and test the Azure Back Sync.