ADFS Service Account required to be in Enterprise Key Admin

asked 2021-04-22T07:13:06.447+00:00
Luke Lim 531 Reputation points

I did a Invoke-ADFSFarmBehaviorLevelRaise to raise my ADFS FBL from 1 to 3.

I got a Warning: Failed to add service account xxx to Enterprise Key Admin Group. Add the service account to the Enterprise Key Admin group.

The FBL raise is listed as successful.

Can I check if this warning is because I use a normal service account instead of gMSA?
And what happens if I don't add the service account to Enterprise Key Admin Group.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
952 questions
Accepted answer
  1. answered 2021-04-22T20:51:07.907+00:00
    Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee

    The Enterprise Key Admin group membership is required if you need to use Windows Hello for Business with ADFS and the Certificate Trust.
    If you do not plan to use this, you can ignore the message and go on :)

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest