As all Azure admins know we need to roll over the kerberos key for the Azure AD SSO account.
This is a quick post for how to achieve this quickly.
Sure you already have Azure AD PowerShell installed, if not follow this process from MS – https://docs.microsoft.com/en-us/powershell/azure/active-directory/overview
- Navigate to the “\Microsoft Azure Active Directory Connect” folder
cd $env:programfiles"\Microsoft Azure Active Directory Connect"
- Import the Seamless SSO PowerShell module using this command:
Import-Module .\AzureADSSO.psd1
- Run PowerShell as an Administrator. In PowerShell, call the below command: This command should give you a popup to enter your tenant’s Global Administrator or Hybrid Identity Administrator credentials
New-AzureADSSOAuthenticationContext
- Call below command: . This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled
Get-AzureADSSOStatus | ConvertFrom-Json
You should get a similar output:
- Call the following command: When prompted, enter the Domain Administrator credentials for the intended AD forest.
$creds = Get-Credential
- Lastly run the following command: This command updates the Kerberos decryption key for the AZURE AD SSO computer account in this specific AD forest and updates it in Azure AD.
Update-AzureADSSOForest -OnPremCredentials $creds
