REOPEN: Question about how many times you should run Update-AzureADSSOForest in a given timespan

[withersravenel]

In the section "How can I roll over the Kerberos decryption key of the AZUREADSSO computer account?" it states that "We highly recommend that you roll over the Kerberos decryption key at least every 30 days." but then at the bottom it states "Ensure that you don't run the Update-AzureADSSOForest command more than once per forest." Should that say don't run it more than once per forest every x days/hours, or does it really mean don't run it more than once ever? It sounded like we need to run "Update-AzureADSSOForest" at least every 30 days, but then it says not to run it more than once.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 20f01328-ebfa-31af-4e67-6de92c8f924e
• Version Independent ID: a990551f-e6c9-dede-308a-b5578fb7ee1e
• Content: Microsoft Entra Connect - Microsoft Entra ID
• Content Source: docs/identity/hybrid/connect/how-to-connect-sso-faq.yml
• Service: entra-id
• Sub-service: hybrid-connect
• GitHub Login: @billmath
• Microsoft Alias: billmath

[TPavanBalaji]

@withersravenel
Thanks for your feedback! We will investigate and update as appropriate.

[SaibabaBalapur-MSFT]

@withersravenel
The recommendation to roll over the Kerberos decryption key at least every 30 days is to ensure maximum security. However, you should not run the Update-AzureADSSOForest command more than once per forest. This command is used to update the Azure AD Seamless Single Sign-On configuration in your on-premises environment and should only be run when necessary, such as when you make changes to your on-premises Active Directory environment or when you need to troubleshoot an issue with Seamless SSO. Running this command more than once per forest can cause issues with your Seamless SSO configuration. So, to clarify, you should roll over the Kerberos decryption key at least every 30 days, but you should only run the Update-AzureADSSOForest command when necessary and not more than once per forest.

[withersravenel]

The instructions on how to roll over the Kerberos decryption key states:
"...
2. Call Update-AzureADSSOForest -OnPremCredentials $creds. This command updates the Kerberos decryption key for the AZUREADSSO computer account in this specific AD forest and updates it in Microsoft Entra ID.
..."
Is there a way to roll over the Kerberos decryption key without running the Update-AzureADSSOForest command?

[SaibabaBalapur-MSFT]

@withersravenel
Since this issue isn't directly related to improving our docs, and to gain a better understanding of your issue, I'd recommend working closer with our support team via an Azure support request. Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.
Teams Q&A forum for technical questions about the configuration and administration of Microsoft Teams on Windows.
Microsoft Teams Community forum

[withersravenel]

Well, I disagree. Your document could be improved by making sense. It says the way to roll over the key is to run the command Update-AzureADSSOForest at least every 30 days, then it says to not run that same Update-AzureADSSOForest command more than once. How can you run it every 30 days and also not run it more than once?

[SaibabaBalapur-MSFT]

@withersravenel
I'm going to assign this to the document author so they can take a look at it accordingly.

@billmath
Can you please check and add your comments on this doc update request as applicable.