EntraID Cloud Connect Key Rollover
Firstly, Microsoft has provided a helpful and straightforward guide on this process. This article serves to reinforce the fact that updating the Single Sign-On (SSO) decryption key isn’t as scary as it might seem. Keeping your environment up to date is crucial for maintaining security, and updating the SSO key is one of those tasks that shouldn’t be overlooked.
Prerequisites
To get started, we’re going to need a few things in place:
1. Azure AD PowerShell Module
The Azure AD module allows us to interact with Azure Active Directory using PowerShell. Here’s how you can install it:
Install-Module AzureAD -Scope CurrentUser
Import-Module AzureAD -Scope CurrentUserIt’s best to perform this on the server where Azure AD/EntraID Connect Sync is installed, as this will save time when we need to work with the synchronization environment.
2. Administrator Accounts
Ensure you have the following accounts ready:
- Domain Administrator credentials
- Microsoft 365 Administrator credentials
These are necessary to authenticate and carry out the update.
The Key Roll-Over Process
Once you have the prerequisites, follow these steps to update the SSO decryption key. This will refresh the key used for Single Sign-On, ensuring your environment stays secure.
Step 1: Log into the Azure AD Connect Server
Start by logging into the server where Azure AD/EntraID Connect Sync is installed.
Step 2: Launch PowerShell
Open PowerShell as Administrator.
Step 3: Import the Azure AD Module
Import-Module AzureADStep 4: Navigate to the Azure AD Connect Directory
cd $env:programfiles"\Microsoft Azure Active Directory Connect"Step 5: Import the Azure AD SSO Module
Import-Module .\AzureADSSO.psd1Step 6: Create an Azure Session
New-AzureADSSOAuthenticationContextIf this command fails due to a TLS error, ensure that TLS 1.2 is enabled on the server. See troubleshooting below.
Step 7: Check SSO Status
Get-AzureADSSOStatus | ConvertFrom-JsonThis will give you a clear overview of which domains have SSO enabled.
Step 8: Create Credentials for Domain Administrator
$credentials = Get-CredentialUse the SAM Account name format (e.g., Contoso\Administrator).
Step 9: Roll Over the Decryption Key
Update-AzureADSSOForest -OnPremCredentials $credentialsDo not run this command more than once without checking the key status.
Step 10: Repeat for Each AD Forest
Repeat the process using the appropriate credentials for each forest.
Verifying the Key Update
Log into the EntraID portal and navigate to the Azure AD Connect Sync page. You should now see an updated decryption key date for each forest.
Important Note: Key Maintenance
Update the SSO decryption key at least every 30 days to ensure it remains valid and secure.
Troubleshooting: Enabling TLS 1.2
If you encounter issues, enforce TLS 1.2:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12Conclusion
Updating the Azure AD SSO decryption key is a straightforward but essential process for keeping your environment secure. By following the steps outlined above, you can ensure that your Single Sign-On configurations remain up to date and continue to function smoothly. Schedule regular checks and updates to prevent any unnecessary security risks.