Use below scrip to create a service connection point so that device sync can be enabled for Azure.
$verifiedDomain = “contoso.com” # Replace this with any of your verified domain names in Azure AD
$tenantID = “72f988bf-86f1-41af-91ab-2d7cd011db47” # Replace this with you tenant ID
$configNC = “CN=Configuration,DC=corp,DC=contoso,DC=com” # Replace this with your AD configuration naming context (use Get-ADRootDSE to get this value)
$de = New-Object System.DirectoryServices.DirectoryEntry
$de.Path = “LDAP://CN=Services,” + $configNC
$deDRC = $de.Children.Add(“CN=Device Registration Configuration”, “container”)
$deSCP = $deDRC.Children.Add(“CN=62a0ff2e-97b9-4513-943f-0d221bd30080”, “serviceConnectionPoint”)
$deSCP.Properties[“keywords”].Add(“azureADName:” + $verifiedDomain)
$deSCP.Properties[“keywords”].Add(“azureADId:” + $tenantID)
It is important to frequently roll over the Kerberos decryption key of the AZUREADSSOACC computer account (which represents Azure AD) created in your on-premises AD forest.
We highly recommend that you roll over the Kerberos decryption key at least every 30 days.
Follow these steps on the on-premises server where you are running Azure AD Connect:
Step 1. Get list of AD forests where Seamless SSO has been enabled
1.First, download, and install Azure AD PowerShell.
2.Navigate to the %programfiles%\Microsoft Azure Active Directory Connect folder.
3.Import the Seamless SSO PowerShell module using this command:
4.Run PowerShell as an Administrator. In PowerShell, call
This command should give you a popup to enter your tenant’s Global Administrator credentials.
5.Call Get-AzureADSSOStatus. This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.
Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on
1.Call $creds = Get-Credential. When prompted, enter the Domain Administrator credentials for the intended AD forest.
You need to download and install the module for azure DNS first
First check the power shell version because Azure RM module need power shell 5.0 at least.
Install-Module -Name AzureRM
By default, the PowerShell gallery isn’t configured as a trusted repository for PowerShellGet. The first time you use the PSGallery you see the following prompt:
You are installing the modules from an untrusted repository. If you trust this repository, change its Installation Policy value by running the
Are you sure you want to install the modules from ‘PSGallery’?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”):
# Import the module into the PowerShell session
# Connect to Azure with an interactive dialog for sign-in
Update-Module -Name AzureRM