Change Kerberos password in Entra ID Ds environment

richard.carrick.mcp 41 Reputation points
2024-08-13T08:10:59.12+00:00

In an Azure environment with Entra ID Domain Services setup, there are some Virtual machines in place. So to adhere to best practice we want to reset the krbtgt account. I know how to do this for On-Prem AD environments and I have found articles related to Hybrid On-Prem AD and Entra ID environments with AD Connect. But nothing specific to Entra ID Domain Services. If I load the AD tools onto a VM I can see the krbtgt user in the normal location, but I cannot reset its password. Is there a separate process for this or does it need to be done at all in a Entra ID DS setup?

any help greatly appreciated.

thanks

Richard

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,279 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 4,705 Reputation points Microsoft Vendor
    2024-08-16T05:44:55.5166667+00:00

    Hello @richard.carrick.mcp,

    Thank you for posting your query on Microsoft Q&A.

    In Microsoft Entra ID Domain Services (AAD DS), the krbtgt account is managed automatically by the service. Unlike traditional on-premises Active Directory environments where you have direct control over the krbtgt account and can manually reset its password, Azure Entra ID Domain Services abstracts and automates much of the underlying management to ensure security and reliability.

    In Entra ID Domain Services, the krbtgt account is managed differently compared to on-premises AD environments. Since Entra ID Domain Services is a managed service, Microsoft handles the underlying infrastructure, including the krbtgt account.

    You don’t need to reset the krbtgt account in Entra ID Domain Services. The service automatically manages and rotates the krbtgt account password every seven (7) days, ensuring the security of your domain.

    The reason you cannot reset the krbtgt account password is that Entra ID Domain Services doesn’t provide direct access to the underlying Active Directory database. The AD tools you installed on the VM can only read the krbtgt account information but cannot modify it.

    Therefore, you can rely on Microsoft’s automated management of the krbtgt account and don’t need to take any additional steps to reset its password.

    For more information, please refer to the following FAQ document, which states: "The password of the KRBTGT account in a managed domain is rolled over every seven (7) days."

    https://learn.microsoft.com/en-us/entra/identity/domain-services/faqs#is-the-password-of-the-krbtgt-account-in-a-managed-domain-rolled-periodically--if-so--what-is-the-frequency-

    I hope this information is helpful. Please feel free to reach out if you have any further questions.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.