Automate rollover AZUREADSSOACC password procedure

SenhorDolas 1,151 Reputation points
2021-09-23T13:38:46.837+00:00

Hi Everyone,

As you know the SSO computer account pw needs to be rolledover every 30 days and this is becoming less fun as the months go by...

134696-image.png

We need to automate this and I found this script:

# Requirements:  
# Microsoft Online Services Sign-In Assistant.  
# 64-bit Azure Active Directory module for Windows PowerShell.  

$CloudUser = 'service_account@domain.com'  
$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString  
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)  
$OnpremUser = 'DOMAIN\service_account'  
$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString  
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)  

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'  
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred  
Update-AzureADSSOForest -OnPremCredentials $OnpremCred

Please let me know:

  1. What are the account permissions required to perform this action?
  2. Do you guys have a better script that maybe creates a report and emails out to confirm change?
  3. A better way to automate this?

Many Thanks, M

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Piotr Stępień 6 Reputation points
    2023-02-10T07:20:08.9233333+00:00

    Hello.

    AZUREADSSOACC is introduced with inheritance flag disabled (it goes to Computers OU initially) - so hiding it somewhere and delegate at OU level will not work. Direct delegation of Read, Write, reset password, update password doesn't make sense - this will not work. You have to delegate Write All Properties only (up to you how).

    Basically https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account- >> this needs an update.

    For the Azure context - you need Hybrid Admin role (I bet you don't want to use GA here).

    For the script - adapt this - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-

    Remember to call Update-AzureADSSOForest with -PreserveCustomPermissionsOnDesktopSsoAccount (as you modified DACLs on AZUREADSSOACC)

    1 person found this answer helpful.
    0 comments
  2. Siva-kumar-selvaraj 15,551 Reputation points
    2021-09-28T08:52:26.657+00:00

    Hello @SenhorDolas ,

    Thanks for reaching out.

    You will need both domain administrator and global administrator credentials for the cmdlet below.

    • New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred Azure AD Global Admin
    • Update-AzureADSSOForest -OnPremCredentials $OnpremCred Domain Admin on-premises

    If you are not a domain admin and you were assigned permissions (Read, Write, reset password ,update password on the computer object AZUREADSSOACC) by the domain admin, you should call Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount .To learn more about How can I roll over the Kerberos decryption key of the AZUREADSSO computer account.

    Unfortunately, there's no email notification by default but you could use Send-MailMessage PowerShell cmdlet to sent notification. For more information, refer.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.