Azure AD SSO Key

Azure AD SSO Key

Azure AD Seamless SSO permit to enable SSO (Single Sign On) with Azure AD/Office 365 portal. When users try to connect to portal, their computer computer is be able to carry out Kerberos authentification to pass credential via the web browser. The password is not requested from the user.

AZUREADSSOACC computer account

Single Sign On feature require a computer account referred to as AZUREADSSOACC. This computer account is created automatically. The password of this account is shared with Azure AD. When accessing the Azure AD login page and after entering the username, a script is executed in the background to ask the user to access AZUREADSSOACC. A Kerberos ticket is returned to the user by the domain controller. The ticket is subsequently forwarded to Azure AD via the secure browser session. Azure AD password decrypts the Kerberos ticket using the previously shared key. Azure AD sends a token to the application.

Reset the key manually

It is strongly recommended to change the account password manually. This should be done regularly. It must be realized on other domain in the AD forest who the AD Connect Seamless SSO is enabled. From the Azure AD Connect server, open Powershell prompt and import Azure SSO powershell module.

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1"

Import powershell module

Enter the following command to sign in on Azure AD. Enter the credential of Global Admin Account

New-AzureADSSOAuthenticationContext 
Connect to Microsoft Azure

Retrieve the status of the Azure AD Single Sign On with the Single Sign On.

Get-AzureADSSOStatus | ConvertFrom-Json
Retrieve information about SSO

The password of AZUREADSSOACC account can be updated. We use a powershell variable to store the Active Credential. Use the SamAccountName of the account (domain\user). The user must be a member of the Active Directory group Enterprise Administrator.

This credential of Ad Admin Account he used for reset password of the computer account. On the powershell prompt, run the following command.

$cred=get-credential
get-credential

Enter credential of Active Directory Admin Account and click on OK. Run the following command

Update-AzureADSSOForest -OnPremCredentials $Cred
Reset password of computer account

From your Domain controller run the following command to verify if password has been rotating.

Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet
Password has been rotating

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.