Enforcing AES256 for the Azure AD SSO Account in Active Directory

1. Go to computer OU.
2. Right click on the Azure sync account AZUREADSSOACC. Go to attribute editor.
3. Update msDS-SupportedEncryptionTypes to 16 (AES 256) and confirm OK

Roll-Over of the Kerberos Decryption Key (to enable SSO again)

on the Azure AD Connect server:

1. Run powershell as Admin. And run the following commands:
2. cd to $env:programfiles”\Microsoft Azure Active Directory Connect”
3. Import-Module .\AzureADSSO.psd1
4. New-AzureADSSOAuthenticationContext In popup enter credentials.
5. Get-AzureADSSOStatus | ConvertFrom-Json This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.
6. $creds = Get-Credential Enter credentials in jty\AID format. Domain Admin credentials.
7. Update-AzureADSSOForest -OnPremCredentials $creds This command updates the Kerberos decryption key for the AZUREADSSO computer account in this specific AD forest and updates it in Azure AD.

---

references:

Secure Active Directory + Azure AD SSO and disable RC4 HMAC - azuregeek.io Roll over Kerberos decryption key for Seamless SSO computer account - Azure Cloud & AI Domain Blog (azurecloudai.blog) Azure AD Connect - Microsoft Entra | Microsoft Learn Decrypting the Selection of Supported Kerberos Encryption Types - Microsoft Community Hub