This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 41%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hello,
I have been trying to Automate the Azure AD Kerberos Decryption Key Rotation.
I have created a service principal account with the Application ID, Tenant ID, Secret ID, and Certificate.
When try to use this cmdlet New-AzureADSSOAuthenticationContext [-Token <string>] [-TenantId <Tenant ID>] [-UserName <Application ID>] and generate a Token or use the secret value, it will look like it worked.
However, when I run this cmd Get-AzureADSSOStatus | ConvertFrom-Json it comes up with an error " Get-AzureADSSOStatus : Retrieving desktopSso configuration failed. Error message: An error occured during authentication process. RequestId: 'f7ef407c-7403-4ba3-81a8-e632aea368a3'"
So, I would like to know how to use my service principal account with New-AzureADSSOAuthenticationContext and what to use for Token.
Thank you,
Adebayo
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 41%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Ishola, Following-up to check if you had a chance to review the answer provided.
If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.
Confirm that the Application ID, Secret ID, and Certificate associated with your service principal are all valid and have not expired. The certificate should be trusted by Azure AD.
Hello Sedat,
All that is working perfectly. I can connect to the Azure Ad with those credentials, but I cannot connect to the New-AzureADSSOAuthenticationContext with the same credentials.
Thank you.
Adebayo
Hi i follow the following tutorial generally and it works for me can you check this one
https://acloudguy.com/2021/08/18/automatically-roll-over-kerberos-decryption-key-with-azure-ad-sso/#:~:text=Import,OnPremCredentials%20%24OnPremADCred
Hi Sedat, Thank you for your answers but the credentials I want to use, are the service principal account. The tutorial in the link only works with the normal user account. Thank you, Adebayo
Ishola, thank you for the reply. It appears that service principals or other modes of automation (except using the admin accounts) are not available currently. There was also feedback filed for the same which is currently in backlog. Apologies for the inconvinience.
Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC
Hi, @AnuragSingh-MSFT Thank you so much for this information. We will keep our hopes up for the update. Thank you, Adebayo
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 28.999999999999996%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Hi - any update on the ability to use a managed identity/app registration/service principal to connect using this command? I see the feedback link but no updates on it in a while...