How can we improve Azure Active Directory?

Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

This is obviously not ideal. We currently having to perform the rollover task manually each month.

Please look at how this process could be improved for automation.

171 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

NL shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

30 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Mike commented  ·   ·  Flag as inappropriate

    Hi,

    Do you have any update on this? We're now at the end of April.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Adding a comment to get updates to this thread...
    Thanks for working on this feature to make this smoother!

  • Patrick Elischer commented  ·   ·  Flag as inappropriate

    before commenting this post, you should read the comments first.
    MS wrote(05. Februar 2019) : "We will do an update to this thread in early April to update on our progress and get more specific on the date if possible."

    it isn't april yet, is it?

  • AdminAzure AD Team (Product Owner, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    Folks, I am sorry about the 'radio silence'. We left this open with no update for too long without communication. I sincerely apologize for this oversight.

    We made some significant changes to our plans in this area and Automation of Seamless SSO Kerberos decryption key rollover is now targeted for this summer. We will do an update to this thread in early April to update on our progress and get more specific on the date if possible.

    Keith

  • David Meatty commented  ·   ·  Flag as inappropriate

    Still nothing? I've found ways to do it with a Powershell scheduled task using an encrypted file to hold the password but it sill requires a service account with global admin on my tenant. Doing that with an account that has a non-expiring password is not something I want to do.

  • Josef Micka commented  ·   ·  Flag as inappropriate

    I also want to know what is that of this feature.
    Admin cannot every month manually roll over keys for all Azure connected domains, and storing credentials into scripts breaks security.

    If you want people to migrate to azure, you should not only provide seamless experience for end users, but also for administrators.

  • MCS UK Infra commented  ·   ·  Flag as inappropriate

    is there any news on the kerberos rollover its getting tedious when it could ideally be automated

← Previous 1

Feedback and Knowledge Base