SenhorDolas-2197 avatar image
0 Votes"
SenhorDolas-2197 asked SenhorDolas-2197 commented

Automate rollover AZUREADSSOACC password procedure

Hi Everyone,

As you know the SSO computer account pw needs to be rolledover every 30 days and this is becoming less fun as the months go by...


We need to automate this and I found this script:

 # Requirements:
 # Microsoft Online Services Sign-In Assistant.
 # 64-bit Azure Active Directory module for Windows PowerShell.
 $CloudUser = ''
 $CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString
 $CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
 $OnpremUser = 'DOMAIN\service_account'
 $OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString
 $OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)
 Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
 New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
 Update-AzureADSSOForest -OnPremCredentials $OnpremCred

Please let me know:
1. What are the account permissions required to perform this action?
2. Do you guys have a better script that maybe creates a report and emails out to confirm change?
3. A better way to automate this?

Many Thanks, M

image.png (2.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered SenhorDolas-2197 commented

Hello @SenhorDolas-2197,

Thanks for reaching out.

You will need both domain administrator and global administrator credentials for the cmdlet below.

  • New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred Azure AD Global Admin

  • Update-AzureADSSOForest -OnPremCredentials $OnpremCred Domain Admin on-premises

If you are not a domain admin and you were assigned permissions (Read, Write, reset password ,update password on the computer object AZUREADSSOACC) by the domain admin, you should call Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount .To learn more about How can I roll over the Kerberos decryption key of the `AZUREADSSO` computer account.

Unfortunately, there's no email notification by default but you could use Send-MailMessage PowerShell cmdlet to sent notification. For more information, refer.

Hope this helps.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for coming back to me.
I am a bit confused a to why MS has not provided a script for us to automate this procedure, specially since we have to do it every single month!

0 Votes 0 ·

@SenhorDolas-2197 , Thank you for your inputs on this one . We will take this as feedback and get it updated in the documentation .

0 Votes 0 ·

Please can you link me to said documentation for my records?

0 Votes 0 ·