This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 89%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hi
I use a PowerShell script in an Azure Hybrid Worker Runbook to automate the rollover of the Kerberos decryption key for the AZUREADSSOACC computer account.
It uses a service account in Entra ID which is assigned the Hybrid Identity Administrator role, and a service account in AD assigned Write and Reset password permissions on the computer account.
It has been working fine for a couple of years but failed today with the following error:
Update-AzureADSSOForest: Uploading computer account information failed. Error message: Internal error: An error occurred during the 'DesktopSsoNumOfDomains' process. Contact support (Failed Request Id = 'e2879aa3-ab9e-4093-a624-c2fc0acaa430')
**
After some troubleshooting I have determined the cause to be the Entra ID service account.
The Hybrid Identity Administrator role no longer works, but if I assign the service account the Global Admin role it works as expected.
The following commands complete without error:
New-AzureADSSOAuthenticationContext
Get-AzureADSSOStatus | ConvertFrom-Json
**
I get the same error when running the command locally on the Entra ID Connect server in both PowerShell 5.1 and PowerShell 7.4.1/7.4.2
It makes no difference if I use the AD service account or a Domain Admin account, these both work when the Entra ID service account has the Global Admin role.
The docs still say we can use an account with the Hybrid Identity Administrator role, but has this changed? It would be a shame to have to go back to using the Global Admin role.
Thanks
Billy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 22%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
We have since a few days te same problem. Please MS, fix this.
I would open a ticket with Azure support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 12%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Yep, same here. It worked last month but when it tried this week it had stopped working. I have a ticket with MS but haven't received a reply yet after 3 days.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Billy @Anton Dobschensky @Sander Walraven Thank you for raising this issue on QnA platform, on further investigation found that our team is aware of this issue and working internally to fix the same.
Will track the progress of the issue and will update the status here.
Thank you for the update.
@Billy As per the last update which I received, our engineering identified the issue and deployed the fix for this behavior, would request you to verify the above mentioned issue using hybrid identity administrator role and let me know the status.
@Givary-MSFT It failed again for me. I can provide the failed request ID to someone if that would be useful
@Givary-MSFT Thank you for the update, I have tested this and I no longer receive the error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 77%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENT%3C/text%3E%3C/svg%3E)
Can confirm, that it again works with Hybrid Identity Admin Role. Thanks for the Updates @Givary-MSFT
MS had reached out to the ticket I had, it sounds like the fix started rolling out this weekend and hadn't reached us yet. It is now working!