Automate rollover AZUREADSSOACC password procedure

SenhorDolas 1,031 Reputation points

Hi Everyone,

As you know the SSO computer account pw needs to be rolledover every 30 days and this is becoming less fun as the months go by...


We need to automate this and I found this script:

# Requirements:  
# Microsoft Online Services Sign-In Assistant.  
# 64-bit Azure Active Directory module for Windows PowerShell.  

$CloudUser = ''  
$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString  
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)  
$OnpremUser = 'DOMAIN\service_account'  
$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString  
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)  

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'  
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred  
Update-AzureADSSOForest -OnPremCredentials $OnpremCred  

Please let me know:

  1. What are the account permissions required to perform this action?
  2. Do you guys have a better script that maybe creates a report and emails out to confirm change?
  3. A better way to automate this?

Many Thanks, M

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,688 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,206 Reputation points

    Hello @SenhorDolas ,

    Thanks for reaching out.

    You will need both domain administrator and global administrator credentials for the cmdlet below.

    • New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred Azure AD Global Admin
    • Update-AzureADSSOForest -OnPremCredentials $OnpremCred Domain Admin on-premises

    If you are not a domain admin and you were assigned permissions (Read, Write, reset password ,update password on the computer object AZUREADSSOACC) by the domain admin, you should call Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount .To learn more about How can I roll over the Kerberos decryption key of the AZUREADSSO computer account.

    Unfortunately, there's no email notification by default but you could use Send-MailMessage PowerShell cmdlet to sent notification. For more information, refer.

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Piotr Stępień 1 Reputation point


    AZUREADSSOACC is introduced with inheritance flag disabled (it goes to Computers OU initially) - so hiding it somewhere and delegate at OU level will not work. Direct delegation of Read, Write, reset password, update password doesn't make sense - this will not work. You have to delegate Write All Properties only (up to you how).

    Basically >> this needs an update.

    For the Azure context - you need Hybrid Admin role (I bet you don't want to use GA here).

    For the script - adapt this -

    Remember to call Update-AzureADSSOForest with -PreserveCustomPermissionsOnDesktopSsoAccount (as you modified DACLs on AZUREADSSOACC)

    0 comments No comments