Detections
Analytics

Last Change of the Microsoft Entra SSO Account Password

high

Language:

Description

Every Active Directory that uses the SSO feature of Microsoft Entra ID includes a special computer account, AZUREADSSOACC. This account holds the master secret used to authenticate users from the local domain to Microsoft Azure, and it is essential that you must protect it at all costs.

Solution

Changing the AZUREADSSOACC account key is a special operation that requires the use of a Microsoft script.

See Also

Introduction to Azure Active Directory Seamless Single Sign-On

Changing the Kerberos decryption key of the AZUREADSSOACC computer account

Internals of Azure AD Seamless SSO

Indicator Details

Name: Last Change of the Microsoft Entra SSO Account Password

Codename: C-AAD-SSO-PASSWORD

Severity: High

MITRE ATT&CK Information:

Tactics: TA0003, TA0004

Techniques: T1078