Users can use the same credentials for on-premises and cloud-based services with Seamless SSO. There is no need for recurring prompts to enter credentials between services. The necessary data are automatically synced between Active Directory and Azure Active Directory.
When configuring Seamless SSO, the computer account “AZUREADSSOACC” is created. For security reasons, the Kerberos encryption key for this account should be rolled over every 30 days.
This tutorial describes how to manually roll over the Kerberos decryption key every 30 days.