Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC
Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.
This is obviously not ideal. We currently having to perform the rollover task manually each month.
Please look at how this process could be improved for automation.
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!
Principal Program Manager
Hi Azure AD Team, we're at the 3 month mark since your last post on this. Are we likely to see this feature in Azure AD portal soon?
Alex Appleton commented
Has this still not been fixed? Having to put Domain Admin credentials into a plain text file in order to automate this is deranged...
It is possible to run this as a scheduled task
#Connect to Azure and rollover SSO Decryption keys
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Get-AzureADSSOStatus | Out-String -width 4096 | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOStatus_Pre_$Date.txt"
Get-AzureADSSOComputerAcccountInformation -OnPremCredentials $OnpremCred | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOComputerAccountInfo_$Date.txt"
#Rollover SSO Decryption keys
Update-AzureADSSOForest -OnPremCredentials $OnpremCred
Get-AzureADSSOStatus | Out-String -width 4096 | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOStatus_Post_$Date.txt"
Happy to hear you guys working on it :)
Please include this process in Azure AD connect so we can avoid using plaintext credentials in scripts.
This is very much a needed feature. The scripted approach we have taken as a "work around" is not ideal and exposes highly privileged credentials currently. MS needs to address this.
Great idea, we've been putting up with this for a while and is easy to forget - until people can't login because they changed their AD password and it hasn't synced.
MS, please address this.