How to Roll over Kerberos decryption key for Azure AD

If your Azure AD is synched with On-Prem AD DS through AD Connect then you will see after a while a notification on Azure Portal under Seamless single sign-on

Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. However, this feature cannot be used with Active Directory Federation Services (ADFS).

This feature is free and you don’t need Azure P1 or P2 subscription. Microsoft highly recommends that you roll over the Kerberos decryption key at least every 30 days.

So, how do we roll over the Kerberos decryption key for Azure AD?

Login to your AD On-Prem server and follow these steps from PowerShell

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> Install-Module AzureAD

NuGet provider is required to continue
PowerShellGet requires NuGet provider version ‘’ or newer to interact with NuGet-based repositories. The NuGet
provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or
‘C:\Users\Administrator\AppData\Local\PackageManagement\ProviderAssemblies’. You can also install the NuGet provider by
running ‘Install-PackageProvider -Name NuGet -MinimumVersion -Force’. Do you want PowerShellGet to install
and import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”): Y
PS C:\Users\Administrator>
PS C:\Users\Administrator>
PS C:\Users\Administrator> $env:programfiles”\Microsoft Azure Active Directory Connect”
At line:1 char:18

  • $env:programfiles”\Microsoft Azure Active Directory Connect”
  • ~~~~~~~~~~~ Unexpected token ‘”\Microsoft Azure Active Directory Connect”‘ in expression or statement.
    • CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    • FullyQualifiedErrorId : UnexpectedToken

PS C:\Users\Administrator> cd ..
PS C:\Users> cd /
PS C:> cd ‘.\Program Files\’
PS C:\Program Files> ls

Directory: C:\Program Files

Mode LastWriteTime Length Name
—- ————- —— —-
d—– 26/03/2021 01:36 Common Files
d—– 26/03/2021 01:26 Google
d—– 09/02/2022 02:40 internet explorer
d—– 26/03/2021 00:07 Microsoft Azure Active Directory Connect
d—– 26/03/2021 00:22 Microsoft Azure AD Connect Health Sync Agent
d—– 26/03/2021 00:20 Microsoft Azure AD Sync
d—– 26/03/2021 00:19 Microsoft SQL Server
d—– 20/06/2020 21:31 MSBuild
d—– 09/02/2022 10:52 PackageManagement
d—– 20/06/2020 21:31 Reference Assemblies
d—– 26/03/2021 01:38 VMware
d-r— 24/03/2021 12:32 Windows Defender
d—– 09/02/2022 02:40 Windows Defender Advanced Threat Protection
d—– 09/02/2022 02:40 Windows Mail
d—– 24/03/2021 12:32 Windows Media Player
d—– 15/09/2018 08:19 Windows Multimedia Platform
d—– 15/09/2018 08:28 windows nt
d—– 24/03/2021 12:32 Windows Photo Viewer
d—– 15/09/2018 08:19 Windows Portable Devices
d—– 15/09/2018 08:19 Windows Security
d—– 09/02/2022 10:52 WindowsPowerShell

PS C:\Program Files> cd ‘.\Microsoft Azure Active Directory Connect\’

PS C:\Program Files\Microsoft Azure Active Directory Connect> Import-Module .\AzureADSSO.psd1

PS C:\Program Files\Microsoft Azure Active Directory Connect> New-AzureADSSOAuthenticationContext

[10:55:54.978] [ 6] [INFORMATIONAL] Registry configuration used to set endpoints for DSSO in cloud : Worldwide.
PS C:\Program Files\Microsoft Azure Active Directory Connect> Get-AzureADSSOStatus | ConvertFrom-Json

Enable : True
Exists : True
Domains : {}
IsSuccessful : True
ErrorMessage :

PS C:\Program Files\Microsoft Azure Active Directory Connect> $creds = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
PS C:\Program Files\Microsoft Azure Active Directory Connect> Update-AzureADSSOForest -OnPremCredentials $creds
[11:11:18.126] [ 6] [INFORMATIONAL] UpdateComputerAccount: Locating SSO computer account in voiceonbits…
[11:11:18.142] [ 6] [INFORMATIONAL] GetDesktopSsoComputerAccount: Searching in global catalog(forest) and voiceonbits for computer account AZUREADSSOACC
[11:11:18.345] [ 6] [INFORMATIONAL] TrySearchAccountUnderGlobalCatalog: Object was found in global catalog(forest), hence skipping voiceonbits search
[11:11:18.345] [ 6] [INFORMATIONAL] UpdateComputerAccount: Found SSO computer account at CN=AZUREADSSOACC,CN=Computers,DC=voiceonbits,DC=com. Updating its properties…
[11:11:18.345] [ 6] [INFORMATIONAL] UpdateComputerAccount: Granting full control to account admins and enterprise admins for computer account CN=AZUREADSSOACC,CN=Computers,DC=voiceonbits,DC=com…
[11:11:18.689] [ 6] [INFORMATIONAL] UpdateComputerAccount: Successfully updated SSO computer account properties.

The operation completed successfully
PS C:\Program Files\Microsoft Azure Active Directory Connect>
PS C:\Program Files\Microsoft Azure Active Directory Connect>


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: