If you have a domain synced with AD-Connect which means you local domain is syncing with Azure AD, then it recommended to rotate the keys every 60 days, is this is the warning you get in Azure:
To complete to rotation login to the AD-Connect server for your domain then start Powershell (admin is not required) once you have do this:
Prepare Powershell
cd 'C:\Program Files\Microsoft Azure Active Directory Connect'
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext
$creds = Get-Credentials
Prepare Powershell
cd 'C:\Program Files\Microsoft Azure Active Directory Connect'
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext
$creds = Get-Credentials
Rotate those Keys
Update-AzureADSSOForest -OnPremCredentials $creds
Check it completed
[08:02:34.780] [ 6] [INFORMATIONAL] UpdateComputerAccount: Locating SSO computer account in bears.local...
[08:02:34.790] [ 6] [INFORMATIONAL] GetDesktopSsoComputerAccount: Searching in global catalog(forest) and bears.local for computer account AZUREADSSOACC
[08:02:35.320] [ 6] [INFORMATIONAL] TrySearchAccountUnderGlobalCatalog: Object was found in global catalog(forest), hence skipping bears.local search
[08:02:35.325] [ 6] [INFORMATIONAL] UpdateComputerAccount: Found SSO computer a ccount at CN=AZUREADSSOACC,OU=SSOAccounts,DC=bears,DC=local. Updating its properties...
[08:02:35.325] [ 6] [INFORMATIONAL] UpdateComputerAccount: Granting full control to account admins and enterprise admins for computer account CN=AZUREADSSOACC,OU=SSOAccounts,OU=IS Administration,DC=bears.local,DC=intra...
[08:02:35.860] [ 6] [INFORMATIONAL] UpdateComputerAccount: Successfully updated SSO computer account properties.
[08:02:35.875] [ 6] [INFORMATIONAL] The Tls12 security protocol has been added to the supported protocols of ServicePointManager. Current value of ServicePoint Manager.SecurityProtocol: 'Ssl3, Tls, Tls12'
The operation completed successfully
Check updated status in the GUI:
