Microsoft recommends rotating the Encryption Key for this sensitive account every 30 days. This blog, which is Part 1 of a series, will review how to do it manually and in Part 2 we will demonstrate how to automate it and run it on a schedule.
A little about Azure AD Seamless Single Sign On
Azure AD Seamless SSO allows you to enable Single Sign on into Azure AD / Office 365. This is a great feature that your end users will really enjoy and the best part about this is that it doesn’t even require an Azure AD Premium license!
This feature allows end users to experience Single Sign On (SSO) in a similar fashion to ADFS but without all the infrastructure required to maintain ADFS!
Put simply, when a user attempts to sign into a Microsoft login page e.g. https://portal.office.com their computer will be able to leverage Kerberos authentication to pass credentials directly via the web browser and they will not have to enter their password.
There are a few requirements you will need in order for this to work and they are:
- You must have the Single Sign On feature enabled in AD Connect
- You must be using a supported browser, see HERE for more details
- The AD UserPrincipalName (UPN) of the logged in user must match the Office 365 UPN / Sign on
- The user must be using a domain joined computer and be able to communicate with a Domain Controller
- You must add the following URL to the Local Intranet Zone of Internet Explorer Security settings
How it works
This functionality is achieved by using a special computer account in AD called AZUREADSSOACC, which represents Azure AD. The password of this account is securely shared with Azure AD. When a user is at the Azure AD sign-in page and has entered their username (or a domain hint is being used in the URL), a Java script runs in the background to require the user to access AZUREADSSOACC. The domain controller provides a Kerberos ticket back to the user which is then passed on to Azure AD via the secure browser session. Azure AD decrypts the Kerberos ticket, which includes the identity of the user signed into the domain-joined device, by using the previously shared key.
After evaluation, Azure AD either returns a token back to the application or asks the user to perform additional proofs, such as Multi-Factor Authentication
So far so good?
Due to the sensitive nature of this password, Microsoft highly recommends rotating the AZUREADSSOACC account password every 30 days. It’s been rumored that there is supposed to be functionality built into Azure AD Connect that will do it automatically however that has yet to be announced.
How to reset the key manually
You must reset the AZUREADSSOACC Kerberos Key in each AD Domain within the Forest where AD Connect Seamless SSO is enabled. To determine which domains are configured in your environment, do the following on your AD Connect Server from PowerShell:
Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1”
New-AzureADSSOAuthenticationContext #Sign in with a Global Admin account
Get-AzureADSSOStatus | ConvertFrom-Json
Note the Domains field. If you have multiple domains, you will need to reset the AZUREADSSOACC password by issuing the following command in each AD domain:
You will be prompted for credentials- use a Domain Admin for the AD domain you are running it. Use the SamAccountName format e.g. DOMAIN\Username.
Do this in each AD domain as required. If you will run this for several domains from the same PowerShell session, you can capture the credentials to a variable:
$Cred = Get-Credential
Update-AzureADSSOForest -OnPremCredentials $Cred
Note: this is the quick and dirty method. In Part 2 when we automate this, we will not be using a Domain Admin account, we will use a least privileged model account
To confirm that it worked, open PowerShell from a Domain Controller in each domain where you ran the command and run:
Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet
The PasswordLastSet time stamp should coincide with when you ran the command
At this point verify that Seamless SSO still works.
The steps above will get the job done but this would need to be done manually every 30 days and let’s face it, manually doing tasks on a schedule is, well, lame! I hope you enjoyed this blog and please reach out to us if you have any questions. Stay tuned for Part 2 of this blog in which we will show how to automate this using Azure Automation with Hybrid Runbook Workers!
Want more insights like this delivered to your inbox? Make sure you sign up for Insentragram.
Enter your details to join Insentragram
ABOUT THE AUTHOR
Senior Cloud Architect at Insentra
A Consultant within our Cloud and Collaboration practice, Neil is responsible for working with customers to implement Microsoft Cloud solutions in Azure and Office 365 on both presales as well as delivery functions.
Neil enjoys over 20 years of diversified industry experience across a variety of technology solutions which aids him in being able to visualize all of the components comprising a finished solution including infrastructure services, networking, security, identity, application, n-tier architecture, availability, business continuity, disaster recovery, data governance, compliance and combining IaaS, PaaS, and SaaS services.
Prior to joining Insentra in 2018, Neil worked with a New York City based Microsoft Partner implementing Azure and Office 365 solutions in both cloud native as well as hybrid environments. In addition to performing presales and project execution, Neil excelled at working directly with customers on behalf of Microsoft as a Partner Seller (P-Seller) and Partner Cloud Solutions Architect (P-CSA) delivering envisioning and whiteboarding sessions as well as conducting technical webinars. Before becoming a consultant in 2014, Neil was on the customer side working as Systems Administrator, Network Engineer and IT Director.
Neil has recently relocated to Houston, TX after living his entire life in the New York City metropolitan area and enjoys a great family life, with a loving wife and two beautiful young daughters who are his pride and joy!
A SUMMARY OF KEY SKILLS:
• Migrating VM’s, applications and entire datacenters to Microsoft Azure
• Hybrid networking between premises, colocations and the cloud using VPN, ExpressRoute and SDWAN
• Leveraging the cloud for business continuity and disaster recovery
• Azure IaaS, networking, security and resiliency limitations and best practices
• Azure Active Directory (AAD) hybrid identity deployment and management
• Enterprise Mobility + Security (EMS) including Multi-Factor Authentication (MFA), Conditional Access (CA), Self Service Password Reset (SSPR) Intune device management and Identity Protection services
• Microsoft Cloud App Security (MCAS)
• Identity federation and Single Sign-on (SSO)
• Azure enterprise subscription governance
• PowerShell scripting and Azure Automation
• Office 365 management
• Active Directory Domain Services (ADDS) maintenance, troubleshooting and best practices
• Microsoft infrastructure technologies including Group Policy, Failover Clustering, Hyper V, SQL, RDS etc.
• General datacenter components e.g. servers, hypervisors, storage, switching, routing, firewalls, LB’s etc.
• Authoring architectural documentation and Visio diagrams