When configuring Entra Seamless SSO, a computer account is created in Active Directory, AZUREADSSOACC. The password for the Azure SSO computer account is not automatically changed by default every 30 days. This computer account password used as a shared secret between AD end Entra, allowing Entra to decrypt Kerberos tickets that are used as part of the seamless SSO mechanism between Active Directory and Entra ID. If an attacker compromises this account, they can generate service tickets for the AZUREADSSOACC account on behalf of any user and impersonate any user in the Entra tenant that is synchronized from Active Directory. An attacker can use this to move laterally from Active Directory into Entra ID.
Perform Kerberos Key Rollover with PowerShell
cd "C:\Program Files\Microsoft Azure Active Directory Connect"
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext
Get-AzureADSSOStatus | ConvertFrom-Json
$creds = Get-Credential
Update-AzureADSSOForest -OnPremCredentials $creds
Check PasswordLastSet
Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet
References
https://learn.microsoft.com/en-us/defender-for-identity/security-posture-assessments/hybrid-security
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the–azureadsso–computer-account-
