Guide – Password rotation Seamless SSO – AzureADSSO Account


The purpose is to check that password rotation is in place with Azure AD SSO

Technical explanation:
AzureAD SSO is performed using a gateway. This gateway converts a Kerberos TGS ticket to a SAML ticket.
In short, a connection is made to the computer account AZUREADSSOACC and the secret of this user account is used as a shared secret with AzureAD.
Despite the fact that this computer account should have its password automatically changed every 30 days. Most companys do not rotate the password of the azureADsso account very often.
That means that an extraction of its password (using DCSync for example) can lead to an AzureAD compromise.
This Guide will help you how to perform a password rotation of the AzureADSSO account.

Preparation before Password Rotation

Step 1. Go to your AD connenct (ENTRA ID Connect) server.

Step 2. First, Open Powershell (as an Administrator) and download, and install Azure AD PowerShell. (follow the link for installation guide)

Step 3. Navigate to the $env:programfiles”\Microsoft Azure Active Directory Connect” folder. “cd $env:programfiles”\Microsoft Azure Active Directory Connect”

Step 4. Import the Seamless SSO PowerShell module using this command: “Import-Module .\AzureADSSO.psd1”

Step 5. Run the following PowerShell, call New-AzureADSSOAuthentication

Context. This command should give you a popup to enter your tenant’s Global Administrator or Hybrid Identity Administrator credentials.

Step 6. Call Get-AzureADSSOStatus | ConvertFrom-Json.

This command provides you the list of AD
forests (look at the “Domains” list) on which this feature has been enabled.

Execute Password Rotation for AzureADSSO Account

Step 7. Call $creds = Get-Credential.

When prompted, enter the Domain Administrator credentials for
the intended AD forest.

The domain administrator credentials username must be entered in the SAM account name format
(contoso\johndoe or contoso.com\johndoe). We use the domain portion of the username to locate the Domain
Controller of the Domain Administrator using DNS

The domain administrator account used must not be a member of the Protected Users group. If so, the
operation will fai

Step 8. Call Update-AzureADSSOForest -OnPremCredentials $creds

This command updates the Kerberos decryption key for the AZUREADSSO computer account in this specific AD
forest and updates it in Microsoft Entra ID.

Step 9. Repeat the preceding steps for each AD forest that you’ve set up the feature on.

Conclusion and advise

Renewing the AZUREADSSOACC computer account is a crucial security measure within environments utilizing the “Seamless Single Sign-On” (SSO) feature of Azure Active Directory (ENTRA ID). This functionality allows users to be automatically logged into Azure AD when they are within the corporate network.

The AZUREADSSOACC account is a computer account in Active Directory that is necessary for this feature. The advice is to replace the AZUREADSSOACC account every 2 months.

Leave a Reply

Your email address will not be published. Required fields are marked *