Detections
Analytics
Last Change of the Microsoft Entra SSO Account Password
high
Language:
Description
Every Active Directory that uses the Seamless SSO feature of Microsoft Entra ID includes a special computer account, AZUREADSSOACC. This account holds the master secret used to authenticate users from the local domain to Microsoft Entra ID, and it is essential that you must protect it at all costs.
Solution
Changing the AZUREADSSOACC account key is a special operation that requires the use of a Microsoft script.
See Also
Quickstart: Microsoft Entra seamless single sign-on
How can I roll over the Kerberos decryption key of the AZUREADSSO computer account?
Microsoft Entra seamless single sign-on: Technical deep dive
Indicator Details
Name: Last Change of the Microsoft Entra SSO Account Password
Codename: C-AAD-SSO-PASSWORD
Severity: High
Type: Active Directory Indicator of Exposure
Family: Authentication and Credentials
- Tactic: TA0004 - Privilege Escalation
- Techniques: T1078 - Valid Accounts
- Tactic: TA0003 - Persistence