Azure AD Seamless SSO permit to enable SSO (Single Sign On) with Azure AD/Office 365 portal. When users try to connect to portal, their computer computer is be able to carry out Kerberos authentification to pass credential via the web browser. The password is not requested from the user.
AZUREADSSOACC computer account
Single Sign On feature require a computer account referred to as AZUREADSSOACC. This computer account is created automatically. The password of this account is shared with Azure AD. When accessing the Azure AD login page and after entering the username, a script is executed in the background to ask the user to access AZUREADSSOACC. A Kerberos ticket is returned to the user by the domain controller. The ticket is subsequently forwarded to Azure AD via the secure browser session. Azure AD password decrypts the Kerberos ticket using the previously shared key. Azure AD sends a token to the application.
Reset the key manually
It is strongly recommended to change the account password manually. This should be done regularly. It must be realized on other domain in the AD forest who the AD Connect Seamless SSO is enabled. From the Azure AD Connect server, open Powershell prompt and import Azure SSO powershell module.
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1"
Enter the following command to sign in on Azure AD. Enter the credential of Global Admin Account
Retrieve the status of the Azure AD Single Sign On with the Single Sign On.
Get-AzureADSSOStatus | ConvertFrom-Json
The password of AZUREADSSOACC account can be updated. We use a powershell variable to store the Active Credential. Use the SamAccountName of the account (domain\user). The user must be a member of the Active Directory group Enterprise Administrator.
This credential of Ad Admin Account he used for reset password of the computer account. On the powershell prompt, run the following command.
Enter credential of Active Directory Admin Account and click on OK. Run the following command
Update-AzureADSSOForest -OnPremCredentials $Cred
From your Domain controller run the following command to verify if password has been rotating.
Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet