How can we improve Azure Active Directory?

Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

This is obviously not ideal. We currently having to perform the rollover task manually each month.

Please look at how this process could be improved for automation.

132 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    NL shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting. This will be released within the next 4-6 months. Subsequently, we will release an update that will perform key rollover automatically every 30 days

    Swaroop

    22 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • AdminAzure AD Team (Admin, Microsoft Azure) commented  ·   ·  Flag as inappropriate

        Folks, I am sorry about the 'radio silence'. We left this open with no update for too long without communication. I sincerely apologize for this oversight.

        We made some significant changes to our plans in this area and Automation of Seamless SSO Kerberos decryption key rollover is now targeted for this summer. We will do an update to this thread in early April to update on our progress and get more specific on the date if possible.

        Keith

      • David Meatty commented  ·   ·  Flag as inappropriate

        Still nothing? I've found ways to do it with a Powershell scheduled task using an encrypted file to hold the password but it sill requires a service account with global admin on my tenant. Doing that with an account that has a non-expiring password is not something I want to do.

      • Josef Micka commented  ·   ·  Flag as inappropriate

        I also want to know what is that of this feature.
        Admin cannot every month manually roll over keys for all Azure connected domains, and storing credentials into scripts breaks security.

        If you want people to migrate to azure, you should not only provide seamless experience for end users, but also for administrators.

      • MCS UK Infra commented  ·   ·  Flag as inappropriate

        is there any news on the kerberos rollover its getting tedious when it could ideally be automated

      • Anonymous commented  ·   ·  Flag as inappropriate

        Hi, what's the latest update to this, has the key rollover process has been automated via Azure AD Connect or can this be done now via Azure AD portal?

      • NL commented  ·   ·  Flag as inappropriate

        Hi Azure AD Team, we're at the 3 month mark since your last post on this. Are we likely to see this feature in Azure AD portal soon?

      • Anonymous commented  ·   ·  Flag as inappropriate

        Has this still not been fixed? Having to put Domain Admin credentials into a plain text file in order to automate this is deranged...

      • chris commented  ·   ·  Flag as inappropriate

        It is possible to run this as a scheduled task

        #Connect to Azure and rollover SSO Decryption keys
        Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
        New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred

        #Report before
        Get-AzureADSSOStatus | Out-String -width 4096 | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOStatus_Pre_$Date.txt"
        Get-AzureADSSOComputerAcccountInformation -OnPremCredentials $OnpremCred | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOComputerAccountInfo_$Date.txt"

        #Rollover SSO Decryption keys
        Update-AzureADSSOForest -OnPremCredentials $OnpremCred

        #Report After
        Get-AzureADSSOStatus | Out-String -width 4096 | Out-File "C:\Scripts\AzureADSSOStatus\AzureADSSOStatus_Post_$Date.txt"

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please include this process in Azure AD connect so we can avoid using plaintext credentials in scripts.

      ← Previous 1

      Feedback and Knowledge Base