Prerequisites and Best Practices for Changing ADFS Account

Description:

You have ADFS farm and you want to change the existing ADFS service account. You already have the step by step and the PowerShell module for changing the service account as written at other article in this blog.. However you want to know if there any pre-requisites or problem that you might encounter during the process

Resolution:

The prerequisites for changing the ADFS service account are:

1. On each machine of the ADFS farm, install the following:
• Visual C++ Redistributable for Visual Studio 2017
• ODBC Drive 17 for SQL Server
• SQLCMD.exe from Microsoft command line utilities for Microsoft SQL Server 2019
2. Enable AD & AD LDS PowerShell tool from Server Manager on all ADFS server
3. Domain Admin Account

Best practices:

1. Run the command to change the service account using Domain Admin Account. Logon Interactively on the ADFS server using Domain Admin, avoid using "Run As".
2. ADFS services will be restarted during the process. Plan the maintenance time carefully.

How to Change ADFS Service Account

Description:

You have existing ADFS running with regular user account. To increase security you want to change the ADFS service account to use group managed service account or gMSA account.

Resolution:

Source of Information: https://github.com/microsoft/adfsToolbox/tree/master/serviceAccountModule

1. Download the ServiceAccount.psm1 module to all of your AD FS servers (primary and secondary)

2. Import the PowerShell Module on all servers

   In a PowerShell window, run the following: ipmo ServiceAccount.psm1

3. For Windows Server 2016 and later, add a rule granting the new service account necessary permissions.

   In a PowerShell window on the primary AD FS server, run the following:

   Add-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>

   Note that <ServiceAccount> should be the service account you want to grant permissions to and can be provided either in the format Domain\User or merely User.

   <ListOfSecondaryServers> should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.

4. Change the service account on each machine in the farm.

   Beginning with the secondary servers, run the following:

   Update-AdfsServiceAccount

   Once the function has been executed on all secondary servers, proceed to run it on the primary server.

5. If Device Registration Services (DRS) is set up in your AD FS environment, you must also use the Set-AdfsDeviceRegistration cmdlet (an internal command exposed by the service) to add the proper permissions to the new service account.

6. For Windows Server 2016 and later, remove the rule granting permissions to the old service account.

   In a PowerShell window on the primary AD FS server, run the following:

   Remove-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>

   Note that <ServiceAccount> should be the service account you want to revoke permissions for and can be provided either in the format Domain\User or merely User.

   <ListOfSecondaryServers> should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.