Impact and consequence when resetting the password for Microsoft Entra seamless SSO account?

EnterpriseArchitect 5,516 Reputation points
2024-10-23T12:43:17.2366667+00:00

Based on this article: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-

What are the impact when resetting the Kerberos decryption key of the AZUREADSSO computer account?

If there is no impact on the current user, how can I automate this process using scheduled tasks or Azure automation?

Any help would be greatly appreciated.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,653 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,278 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,706 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,646 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marti Peig 610 Reputation points Microsoft Employee
    2024-12-03T15:44:01.29+00:00

    Hi EnterpriseArchitect,

    In general, there is no negative side of resetting the Kerberos decryption key of the AZUREADSSO , however some negative impacts could happen if not managed properly:

    1. Service Interruptions: If not synchronized, it can cause authentication failures and service disruptions for users.
    2. Authentication Failures: Timing issues during key reset may lead to temporary login problems.
    3. Time Synchronization: Kerberos relies on synchronized system time; discrepancies can cause failures.
    4. Hybrid Environment Issues: In hybrid setups, improper key handling may disrupt authentication between on-premises and Azure AD.

    In order to avoid the above, you may want to:

    • Perform resets during off-peak times.
    • Ensure time synchronization and replication are correct.
    • Automate the key reset process to avoid issues.

    And about the last one, there is a good article from Oliver Müller https://www.cloudcoffee.ch/microsoft-azure/microsoft-entra-id-automatically-roll-over-kerberos-decryption-key/?utm_source=chatgpt.com. Please use it as reference and under your own responsibility. I recommend you to perform as many tests as you need before applying it to production.

    I hope it helps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.