Automatically roll over the Kerberos decryption key Azure AD Connect SSO

February 23, 2018

Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.

You will notice this warning in the Azure portal if the key hasn’t been rolled over recently.

I’ve used this Blog article to secure the password on the server for the service account:

I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.


Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

2 comments on “Automatically roll over the Kerberos decryption key Azure AD Connect SSO”

  1. Hello

    Can you confirm what was the minimum permissions you supplied to the service account

    Looks like it needs Global Admin

Leave a Reply

Your email address will not be published. Required fields are marked *