Today we have quick post from the field about Seamless SSO key rollover.

Microsoft recommendation is to roll over Pass-throug Authentication Kerberos key on every 30 days. If it’s not done this will be found from the Azure AD portal. In near future you don’t need to perform any Powershell or scripting referring to Microsoft user voice “We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting”

The Case

When using Seamless SSO Kerberos decryption keys needs to be re-enrolled for security purposes. At latest, when portal shows following warning it’s time to act.

Roll Over

Navigate to Azure AD Connect folder, import module and launch New-AzureADSSOAuthenticationContext cmdlet

Before changing anything it might be good to confirm current status

Execute the commands

$creds = Get-credential
AzureADSSOForest -OnPremCredentials $creds
Get-AzureADSSOStatus | ConvertFrom-Json

Verify Changes

Open Domain Controller security log from Event Viewer and there should be following events from the change

  • Event 4724 – attempt to reset account password
  • Event 4742 – confirmation that computer account password was changed
  • Verify status from Azure AD portal

More information from this link

How can I enroll Kerberos decryption key

Hope this helps!