Firstly, Microsoft has provided a helpful and straightforward guide on this process. This article serves to reinforce the fact that updating the Single Sign-On (SSO) decryption key isn’t as scary as it might seem. Keeping your environment up to date is crucial for maintaining security, and updating the SSO key is one of those tasks that shouldn’t be overlooked.
Prerequisites
To get started, we’re going to need a few things in place:
1. Azure AD PowerShell Module
The Azure AD module allows us to interact with Azure Active Directory using PowerShell. Here’s how you can install it:
- Open PowerShell as Administrator and run the following commands:
Install-Module AzureAD -Scope CurrentUser
Import-Module AzureAD -Scope CurrentUserIt’s best to perform this on the server where Azure AD/EntraID Connect Sync is installed, as this will save time when we need to work with the synchronization environment.
2. Administrator Accounts
Ensure you have the following accounts ready:
- Domain Administrator credentials.
- Microsoft 365 Administrator credentials.
These are necessary to authenticate and carry out the update.
The Key Roll-Over Process
Once you have the prerequisites, follow these steps to update the SSO decryption key. This will refresh the key used for Single Sign-On, ensuring your environment stays secure.
Step 1: Log into the Azure AD Connect Server
Start by logging into the server where Azure AD/EntraID Connect Sync is installed.
Step 2: Launch PowerShell
Open PowerShell as Administrator.
Step 3: Import the Azure AD Module
You’ll need to import the Azure AD PowerShell module to use the required cmdlets. Run the following:
Import-Module AzureADStep 4: Navigate to the Azure AD Connect Directory
Navigate to the directory where Azure AD Connect is installed:
cd $env:programfiles"\Microsoft Azure Active Directory Connect"Step 5: Import the Azure AD SSO Module
We’ll now import the AzureADSSO module, which contains the tools required to manage Single Sign-On settings:
Import-Module .\AzureADSSO.psd1Step 6: Create an Azure Session
Now, create an Azure session by running the following command. This will prompt you to sign into your Azure tenant using your Microsoft 365 Administrator credentials.
New-AzureADSSOAuthenticationContextNote: If this command fails due to a TLS error, ensure that TLS 1.2 is enabled on the server. I’ve included the command to force TLS 1.2 at the end of this article.
Step 7: Check SSO Status
To gather a list of domains associated with your Azure tenant and check the status of SSO, use the following command:
Get-AzureADSSOStatus | ConvertFrom-JsonThis will give you a clear overview of which domains have SSO enabled.
Step 8: Create Credentials for Domain Administrator
Next, we’ll create a variable to store the credentials for your Domain Administrator account. Be sure to enter the credentials using the SAM Account name format (e.g., Contoso\Administrator):
$credentials = Get-CredentialStep 9: Roll Over the Decryption Key
Finally, we initiate the process to roll over the decryption key for SSO:
Update-AzureADSSOForest -OnPremCredentials $credentialsWarning: Do not run this command more than once without checking the key status. Re-running the command unnecessarily can cause issues in your environment.
Step 10: Repeat for Each AD Forest
If your organization has multiple Active Directory forests, repeat the process using the appropriate credentials for each one. Each forest needs to have its decryption key updated individually.
Verifying the Key Update
Once the process is complete, log into the EntraID portal and navigate to the Azure AD Connect Sync page. You should now see an updated decryption key date for each of the forests you processed.
Important Note: Key Maintenance
It’s crucial to update the SSO decryption key at least every 30 days to ensure that the key remains valid and secure. Set a reminder to run this process regularly to avoid potential SSO disruptions.
Troubleshooting: Enabling TLS 1.2
As of April 2020, the PowerShell Gallery and many Microsoft services no longer support older TLS versions (1.0 or 1.1). If you encounter issues during the process, you may need to enforce TLS 1.2 on your server. Use the following command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12Running this ensures that the server uses TLS 1.2, which is required for connecting to modern Azure services.
Conclusion
Updating the Azure AD SSO decryption key is a straightforward but essential process for keeping your environment secure. By following the steps outlined above, you can ensure that your Single Sign-On configurations remain up to date and continue to function smoothly. Make sure to schedule regular checks and updates to prevent any unnecessary security risks.