With Seamless Single Sign-On (Seamless SSO), users can leverage the same credentials for both on-premises and cloud-based services. Repeated authentication prompts between these environments are eliminated, as authentication data is automatically exchanged between Active Directory and Microsoft Entra.
As part of the Seamless SSO configuration, a computer account named AZUREADSSOACC is created in the on-premises Active Directory. For security reasons, Microsoft recommends rotating the associated Kerberos decryption key every 30 days.
This guide provides a step-by-step explanation of how to manually rotate the Kerberos decryption key used for Seamless SSO.
The automatic roll over of the Kerberos decryption key is detailed in the following post: Microsoft Entra ID: Automatically roll over Kerberos decryption key – cloudcoffee.ch
Prerequisites and Licensing
Licenses
For the use of Seamless SSO, no paid license is required. A license from Microsoft Entra ID Free is sufficient. This license is part of every Microsoft tenant.
Windows PowerShell
To run the AzureADSSO PowerShell module, Windows PowerShell 5.x is required.
Rollen nach dem Prinzip der geringsten Rechte
The rollover of the Kerberos decryption key can be performed in accordance with the principle of least privilege using the following roles.
Microsoft Entra
| Role | Permission |
| Hybrid Identity Administrator | Manage Microsoft Entra Connect, Seamless Single Sign-On, and hybrid identity features |
On-Premises Active Directory
In the on-premises Active Directory, write access to the computer account AZUREADSSOACC is required. There is no predefined ACL-based security group that provides exactly the necessary set of permissions.
From a least privilege standpoint, it is therefore recommended to delegate permissions specifically to the relevant computer account. The required access rights are:
- Write account restrictions
- Write msDS-KeyVersionNumber
Alternatively, a user who is a member of the Domain Admins group can be used. However, this approach grants significantly broader privileges and should only be considered if fine-grained delegation is not feasible.
Initial Situation
For security reasons, Microsoft recommends to roll over the Kerberos keys of the computer account AZUREADSSOACC every 30 days. The Microsoft Entra admin center (https://entra.microsoft.com) displays a warning under Identity > Hybrid management > Microsoft Entra Connect > Connect Sync > Seamless single sign-on when it is time to perform the rollover of the Kerberos decryption key.
When configuring Seamless Single Sign-On (Seamless SSO) with Microsoft Entra Connect, a computer account named AZUREADSSOACC is created in the on-premises Active Directory.
Perform Kerberos Key Rollover with PowerShell
Before performing the Kerberos key rollover, PowerShell can be used to check the current status of the configuration. In particular, that no active error messages are present.
In the Windows PowerShell, start the following script as an administrator and use an Global Administrator to sign in when prompted.
1 2 3 4 5 | cd "$env:programfiles\Microsoft Azure Active Directory Connect" Import-Module .\AzureADSSO.psd1 New-AzureADSSOAuthenticationContext Get-AzureADSSOStatus | ConvertFrom-Json |
When the status shows no errors, the Kerberos decryption key rollover can be performed with the following PowerShell script.
When prompted for credentials, an Enterprise Administrator from the local Active Directory is required. Sign in with SamAccountName format, e.g. Domain\username.
1 2 | $creds = Get-Credential Update-AzureADSSOForest -OnPremCredentials $creds |
Check Kerberos roll over
The verification of the successful roll over of the Kerberos decryption key is performed as follows:
Check PasswordLastSet
The timestamp for the PasswordLastSet attribute of the “AZUREADSSOACC” computer account must match the time when the renewal took place.
1 | Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet |
Event viewer
In the event viewer of the domain controller, the following two entries are displayed in the security log:
EventID 4724 an Attempt was made to reset an account’s password
EventID 4724 an Attempt was made to reset an account’s password
EventID 4742 a computer account was changed
Microsoft Entra Admin Center
The Microsoft Entra admin center (https://entra.microsoft.com) does not display any warning under Identity > Hybrid management > Microsoft Entra Connect > Connect Sync > Seamless single sign-on.
Status and timestamp of key creation is updated in Azure Portal.
The status and timestamp of the kerberos decryption key roll over have been updated in the Microsoft Entra admin center.
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
