We’ve already covered Azure AD PtA with SSO. Where a local computer object is created in your on-premises AD to help with the authentication. While the password of the object is changed periodically. Many organizations have the requirement to reset the computer password on the fly or at a faster interval.
Microsoft has released a manual for resetting the computer password used (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the-azureadssoacct-computer-account) but there was one part of the document I did not like.
Whenever I see the word “Domain Administrator” rights required, I get triggered, because only in very rare cases are DA privileges required.
In this case, the PowerShell commandlet just resets the password on a computer account, do DA would not be required at all.
So after some tries, it seems you can give only the following rights to the computer object called: AZUREADSSOACC: READ – WRITE – RESET PASSWORD – for the account that you want to run the reset with.
note that even change password rights are not required.
And that is sufficient to change the password of the computer object.
[end of service announcement to get rid of DA admin rights]