How can we improve Azure Active Directory?

← Azure Active Directory

Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

This is obviously not ideal. We currently having to perform the rollover task manually each month.

Please look at how this process could be improved for automation.

742 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

NL shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  Azure AD Team responded  · 

Hi everyone,
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!

Jairo Cadena
Principal Program Manager
Microsoft Identity

Show previous admin responses (2)

106 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Gregory Mund commented  ·   ·  Flag as inappropriate

    WOW, almost a year and a half and no update on this? C'mon Man!! This should have been automated out of the gate, not an afterthought. If you aren't going to actually work on this maybe you should change the status from Started to Stalled.

  • Brenton Crosby commented  ·   ·  Flag as inappropriate

    Would like to see some action on this, as long as the Azure AD Connect client is auto-updating this feature should be able to be rolled out to everyone who has that in place.

  • Michael commented  ·   ·  Flag as inappropriate

    What is happening with this? In mid 2018 it was going to be 4-6 months away.. can you please provide an update to advise why this is taking so long? It seems it should be a fairly simple functionality improvement that impacts most, if not all of your customers on Azure AD.

  • Anonymous commented  ·   ·  Flag as inappropriate

    How does it take year and a half since the last official response and still no progress on something that should have been implemented from the beginning of the feature announcement?

  • KK commented  ·   ·  Flag as inappropriate

    This feature is badly needed. I am currently storing passwords using securestring and also using NTFS permissions and EFS encryption but I know that's not enough. I really like to have the kerberos decryption keys rotated automatically

  • Brad Martin commented  ·   ·  Flag as inappropriate

    Is there any update on this? Manual rotation or scripting with passwords are not good solutions.

  • Komoroske, Gina commented  ·   ·  Flag as inappropriate

    Wow, Microsoft, this is over a year old. Your best practice document and now your security center flags overuse of global administrators. Why is this difficult to create a role w/out that level of access to roll this key over?

  • Hugo Gerryts commented  ·   ·  Flag as inappropriate

    I would also like to see this process automated. Putting username and password in a script goes against all security best practises.

  • SME commented  ·   ·  Flag as inappropriate

    Please implement modern authentication (like login with certificate) to logon on AzureAD as soon as possible.

← Previous 1 3 4 5 6

Azure Active Directory: Azure AD Connect

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice