Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Hi EnterpriseArchitect,
In general, there is no negative side of resetting the Kerberos decryption key of the AZUREADSSO , however some negative impacts could happen if not managed properly:
- Service Interruptions: If not synchronized, it can cause authentication failures and service disruptions for users.
- Authentication Failures: Timing issues during key reset may lead to temporary login problems.
- Time Synchronization: Kerberos relies on synchronized system time; discrepancies can cause failures.
- Hybrid Environment Issues: In hybrid setups, improper key handling may disrupt authentication between on-premises and Azure AD.
In order to avoid the above, you may want to:
- Perform resets during off-peak times.
- Ensure time synchronization and replication are correct.
- Automate the key reset process to avoid issues.
And about the last one, there is a good article from Oliver Müller https://www.cloudcoffee.ch/microsoft-azure/microsoft-entra-id-automatically-roll-over-kerberos-decryption-key/?utm_source=chatgpt.com. Please use it as reference and under your own responsibility. I recommend you to perform as many tests as you need before applying it to production.
I hope it helps.