How can we improve Azure Active Directory?

← Azure Active Directory

Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

This is obviously not ideal. We currently having to perform the rollover task manually each month.

Please look at how this process could be improved for automation.

96 votes

Sign in

Your name

Your email address

Check!

invalid email

(thinking…)

Reset

or sign in with

UserVoice password

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

NL shared this idea · Mar 27, 2018 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · Jul 18, 2018

We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting. This will be released within the next 4-6 months. Subsequently, we will release an update that will perform key rollover automatically every 30 days

Swaroop

12 comments

Add a comment…

Sign in

Your name

Your email address

Check!

invalid email

(thinking…)

Reset

or sign in with

UserVoice password

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

Patrick Elischer commented · December 7, 2018 1:30 AM · Flag as inappropriate

push, would be important..
Brenton Crosby commented · November 25, 2018 9:14 PM · Flag as inappropriate

Looking for an update on this please Azure AD Team!
Anonymous commented · November 20, 2018 1:26 AM · Flag as inappropriate

Hi, what's the latest update to this, has the key rollover process has been automated via Azure AD Connect or can this be done now via Azure AD portal?
Anonymous commented · October 18, 2018 8:07 AM · Flag as inappropriate

Any update?
NL commented · October 16, 2018 9:31 PM · Flag as inappropriate

Hi Azure AD Team, we're at the 3 month mark since your last post on this. Are we likely to see this feature in Azure AD portal soon?
Alex Appleton commented · August 10, 2018 12:07 PM · Flag as inappropriate

Please...
Anonymous commented · August 6, 2018 4:15 AM · Flag as inappropriate

Has this still not been fixed? Having to put Domain Admin credentials into a plain text file in order to automate this is deranged...
chris commented · August 3, 2018 3:33 AM · Flag as inappropriate

It is possible to run this as a scheduled task

#Connect to Azure and rollover SSO Decryption keys
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred

#Report before
Get-AzureADSSOStatus | Out-String -width 4096 | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOStatus_Pre_$Date.txt"
Get-AzureADSSOComputerAcccountInformation -OnPremCredentials $OnpremCred | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOComputerAccountInfo_$Date.txt"

#Rollover SSO Decryption keys
Update-AzureADSSOForest -OnPremCredentials $OnpremCred

#Report After
Get-AzureADSSOStatus | Out-String -width 4096 | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOStatus_Post_$Date.txt"
Anonymous commented · July 19, 2018 12:08 AM · Flag as inappropriate

Happy to hear you guys working on it :)
Anonymous commented · June 5, 2018 8:59 AM · Flag as inappropriate

Please include this process in Azure AD connect so we can avoid using plaintext credentials in scripts.
cdubb commented · April 28, 2018 10:19 AM · Flag as inappropriate

This is very much a needed feature. The scripted approach we have taken as a "work around" is not ideal and exposes highly privileged credentials currently. MS needs to address this.
Matt commented · March 27, 2018 6:24 PM · Flag as inappropriate

Great idea, we've been putting up with this for a while and is easy to forget - until people can't login because they changed their AD password and it hasn't synced.

MS, please address this.

Azure Active Directory: Directory Synchronization / AAD Connect

Post a new idea…
All ideas
My feedback
Access Reviews 15
Admin Portal 182
Application Proxy 47
Authentication 223
Azure AD API 72
Azure AD Connect Health 39
B2B 63
B2C 286
Conditional Access 95
Developer Experiences 66
Directory Synchronization / AAD Connect 124
Domain Join 30
Domain Services 90
End user experiences 112
Identity Protection 50
Identity Secure Score 2
Licensing 32
Microsoft Identity Manager 58
Multi-factor Authentication 175
Other 265
PowerShell 53
Privileged Identity Management 53
Reporting 37
Role-based Access Control 46
SaaS Applications 62
Self-Service Password Reset 56
Terms of Use 3

Searching…

No results.
Clear search results

Give feedback
- (General Feedback) 3,633 ideas
- Additional Services 181 ideas
- Analytics Platform System 8 ideas
- API Apps 1 idea
- API Management 355 ideas
- Application Insights 434 ideas
- Automation 370 ideas
- Azure Active Directory 2,367 ideas
- Azure Active Directory Application Requests 179 ideas
- Azure Alert Management 43 ideas
- Azure Analysis Services 115 ideas
- Azure Backup 306 ideas
- Azure Bot Service 40 ideas
- Azure Cloud Shell 143 ideas
- Azure Container Instances 54 ideas
- Azure Container Registry 42 ideas
- Azure Cosmos DB 258 ideas
- Azure CycleCloud 1 idea
- Azure Data Explorer 17 ideas
- Azure Database for MariaDB 3 ideas
- Azure Database for MySQL 37 ideas
- Azure Database for PostgreSQL 69 ideas
- Azure Database Migration Service 17 ideas
- Azure Databricks 29 ideas
- Azure DDoS Protection 6 ideas
- Azure Digital Twins 7 ideas
- Azure Event Grid 32 ideas
- Azure Functions 122 ideas
- Azure Governance 34 ideas
- Azure Government 67 ideas
- Azure IoT 199 ideas
- Azure IoT Central 31 ideas
- Azure IoT Device Catalog 2 ideas
- Azure IoT Edge 38 ideas
- Azure IoT Solution Accelerators 2 ideas
- Azure Key Vault 60 ideas
- Azure Kubernetes Service (AKS) 73 ideas
- Azure Management Groups 5 ideas
- Azure Maps 31 ideas
- Azure Marketplace 353 ideas
- Azure Media Services 193 ideas
- Azure Migrate 17 ideas
- Azure mobile app 167 ideas
- Azure Monitor 15 ideas
- Azure Pack 285 ideas
- Azure portal 2,380 ideas
- Azure Resource Manager 363 ideas
- Azure Search 190 ideas
- Azure Security Center 122 ideas
- Azure SignalR Service 1 idea
- Azure Sphere 23 ideas
- Azure Stack 103 ideas
- Azure TCO Calculator 25 ideas
- Azure Time Series Insights 2 ideas
- Batch 37 ideas
- Batch AI 7 ideas
- Biztalk Services 23 ideas
- Blockchain 26 ideas
- Cache 36 ideas
- CDN 69 ideas
- Cloud Services (Web and Worker Role) 263 ideas
- Cost Management 153 ideas
- Customer Insights 13 ideas
- Customer Lockbox for Microsoft Azure 0 ideas
- Data Catalog 94 ideas
- Data Factory 522 ideas
- Data Lake 318 ideas
- Data Science VM 18 ideas
- DevTest Labs 216 ideas
- Diagnostics and Monitoring 171 ideas
- Event Hubs 3 ideas
- Global Infrastructure 14 ideas
- HDInsight 107 ideas
- Log Analytics 813 ideas
- Logic Apps 1,035 ideas
- Machine Learning 406 ideas
- Mobile Engagement 19 ideas
- Networking 480 ideas
- Notification Hubs 37 ideas
- Scheduler 45 ideas
- Scripting and Command Line Tools 87 ideas
- SDK and Tools 120 ideas
- Security and Compliance 61 ideas
- Service Bus 157 ideas
- Service Fabric 256 ideas
- Signup and Billing 866 ideas
- Site Recovery 193 ideas
- SQL Data Sync 63 ideas
- SQL Data Warehouse 217 ideas
- SQL Database 451 ideas
- SQL Managed Instance 37 ideas
- SQL Server 8,673 ideas
- Storage 514 ideas
- StorSimple 44 ideas
- Stream Analytics 209 ideas
- Support Feedback 218 ideas
- System Center Data Protection Manager 90 ideas
- Update Management 91 ideas
- Virtual Machines 1,187 ideas
- Web Apps 201 ideas
Microsoft Azure