It’s is very important to regularly (every 30 days) roll over the Kerberos key for the AZUREADSSO computer account. This account represents your Azure AD in your on-prem AD. Permissions needed to perform this operation – on-prem Domain Administrator(DA) and Azure AD Global Administrator(GA) Assuming your environment consists of a single AD forest: