As businesses increasingly operate in hybrid environments spanning both on-premises and cloud infrastructure, the need for seamless authentication across multiple environments becomes paramount. To address this challenge, organizations are turning to automated processes for implementing and managing Cloud Kerberos Trust. This automated approach streamlines the integration of Kerberos-based authentication in diverse environments, ensuring efficient and secure access to cloud resources.
The PowerShell script Enable-CloudKerberosTrust.ps1 simplifies and automates the process of Configuring Azure AD Cloud Kerberos Trust.
To get a deeper understanding and a great story, You should also read to following article series by Ben Whitemore and Michael Mardahl who inspired the script.
1. Install Azure AD Kerberos PowerShell module
2. Prompt the user for domain admin credentials (if it detects it is not running as domain admin)
3. Create a Kerberos Server object
4. Verify a Kerberos Server object has been created successfully
5. Create "CKT-Policy" Intune configuration profile
6. Create OMA-URI for Cloud Kerberos Trust enablement
7. Assign the configuration profile
1. Azure Active Directory global administrator.
2. Active Directory domain administrator.
3. Approve admin consent for the following permissions in Microsoft Graph application in Azure AD apps:
CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, Directory.Read.All
Specifies the on-premises Active Directory domain. A new Azure AD Kerberos Server object will be created in this Active Directory domain.
Specifies the UPN of an Azure Active Directory global administrator.
Specifies the Azure AD tenant ID for the new Intune configuration policy.
Specifies the device group to assign the new Intune configuration policy.
Specifies path to save script output to.
.\Enable-CloudKerberosTrust.ps1 -Domain xyz.com -UserName email@example.com -TenantID 0570e92c-8fb4-4775-9eb8-61f20dd2ce72 -Group Group1 -LogPath .\
Download the script: Enable-CloudKerberosTrust.ps1
NOTE: THIS SCRIPT IS CONTINUALLY BEING IMPROVED – If you would like to suggest additional checks or improvements, feel free to reach out with your input.