Impact and consequence when resetting the password for Microsoft Entra seamless SSO account?

Question

Based on this article: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-

What are the impact when resetting the Kerberos decryption key of the AZUREADSSO computer account?

If there is no impact on the current user, how can I automate this process using scheduled tasks or Azure automation?

Any help would be greatly appreciated.

Answer 1

Hi EnterpriseArchitect,

In general, there is no negative side of resetting the Kerberos decryption key of the AZUREADSSO , however some negative impacts could happen if not managed properly:

1. Service Interruptions: If not synchronized, it can cause authentication failures and service disruptions for users.
2. Authentication Failures: Timing issues during key reset may lead to temporary login problems.
3. Time Synchronization: Kerberos relies on synchronized system time; discrepancies can cause failures.
4. Hybrid Environment Issues: In hybrid setups, improper key handling may disrupt authentication between on-premises and Azure AD.

In order to avoid the above, you may want to:

• Perform resets during off-peak times.
• Ensure time synchronization and replication are correct.
• Automate the key reset process to avoid issues.

And about the last one, there is a good article from Oliver Müller https://www.cloudcoffee.ch/microsoft-azure/microsoft-entra-id-automatically-roll-over-kerberos-decryption-key/?utm_source=chatgpt.com. Please use it as reference and under your own responsibility. I recommend you to perform as many tests as you need before applying it to production.

I hope it helps.