Hello @richard.carrick.mcp,
Thank you for posting your query on Microsoft Q&A.
In Microsoft Entra ID Domain Services (AAD DS), the krbtgt account is managed automatically by the service. Unlike traditional on-premises Active Directory environments where you have direct control over the krbtgt account and can manually reset its password, Azure Entra ID Domain Services abstracts and automates much of the underlying management to ensure security and reliability.
In Entra ID Domain Services, the krbtgt account is managed differently compared to on-premises AD environments. Since Entra ID Domain Services is a managed service, Microsoft handles the underlying infrastructure, including the krbtgt account.
You don’t need to reset the krbtgt account in Entra ID Domain Services. The service automatically manages and rotates the krbtgt account password every seven (7) days, ensuring the security of your domain.
The reason you cannot reset the krbtgt account password is that Entra ID Domain Services doesn’t provide direct access to the underlying Active Directory database. The AD tools you installed on the VM can only read the krbtgt account information but cannot modify it.
Therefore, you can rely on Microsoft’s automated management of the krbtgt account and don’t need to take any additional steps to reset its password.
For more information, please refer to the following FAQ document, which states: "The password of the KRBTGT account in a managed domain is rolled over every seven (7) days."
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.