Today we have quick post from the field about Seamless SSO key rollover.
Microsoft recommendation is to roll over Pass-throug Authentication Kerberos key on every 30 days. If it’s not done this will be found from the Azure AD portal. In near future you don’t need to perform any Powershell or scripting referring to Microsoft user voice “We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting”
When using Seamless SSO Kerberos decryption keys needs to be re-enrolled for security purposes. At latest, when portal shows following warning it’s time to act.
Navigate to Azure AD Connect folder, import module and launch New-AzureADSSOAuthenticationContext cmdlet
Before changing anything it might be good to confirm current status
Execute the commands
$creds = Get-credential AzureADSSOForest -OnPremCredentials $creds Get-AzureADSSOStatus | ConvertFrom-Json
Open Domain Controller security log from Event Viewer and there should be following events from the change
- Event 4724 – attempt to reset account password
- Event 4742 – confirmation that computer account password was changed
- Verify status from Azure AD portal
More information from this link
Hope this helps!