How can I roll over the Kerberos decryption key of the AZUREADSSOACC computer account

It is important to frequently roll over the Kerberos decryption key of the AZUREADSSOACC computer account (which represents Azure AD) created in your on-premises AD forest.


We highly recommend that you roll over the Kerberos decryption key at least every 30 days.

Follow these steps on the on-premises server where you are running Azure AD Connect:

Step 1. Get list of AD forests where Seamless SSO has been enabled
1.First, download, and install Azure AD PowerShell.
2.Navigate to the %programfiles%\Microsoft Azure Active Directory Connect folder.
3.Import the Seamless SSO PowerShell module using this command:

Import-Module .\AzureADSSO.psd1.

4.Run PowerShell as an Administrator. In PowerShell, call


This command should give you a popup to enter your tenant’s Global Administrator credentials.

5.Call Get-AzureADSSOStatus. This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.

Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

1.Call $creds = Get-Credential. When prompted, enter the Domain Administrator credentials for the intended AD forest.

how to install Azure RM module for powershell

You need to download and install the module for azure DNS first

First check the power shell version because Azure RM module need power shell 5.0 at least.


Install-Module -Name AzureRM

By default, the PowerShell gallery isn’t configured as a trusted repository for PowerShellGet. The first time you use the PSGallery you see the following prompt:
Untrusted repository

You are installing the modules from an untrusted repository. If you trust this repository, change its Installation Policy value by running the

Set-PSRepository cmdlet.

Are you sure you want to install the modules from ‘PSGallery’?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”):

# Import the module into the PowerShell session
Import-Module AzureRM
# Connect to Azure with an interactive dialog for sign-in

Update-Module -Name AzureRM

How to import/export DNS zone file to Azure DNS using CLI

Login to Azure using CLI

az login

az account set -s <Subscription Name>

To Import Zone File:-
az network dns zone import -g <ResourceGroupName> -n <ZoneName> -f  <ZoneFileFullPath>

To Test imported zone file:-
az network dns record-set list -g <ResourceGroupName> -z <ZoneName>