question

LukeLim95131 avatar image
0 Votes"
LukeLim95131 asked piaudonn answered

ADFS Service Account required to be in Enterprise Key Admin

I did a Invoke-ADFSFarmBehaviorLevelRaise to raise my ADFS FBL from 1 to 3.

I got a Warning: Failed to add service account xxx to Enterprise Key Admin Group. Add the service account to the Enterprise Key Admin group.

The FBL raise is listed as successful.

Can I check if this warning is because I use a normal service account instead of gMSA?
And what happens if I don't add the service account to Enterprise Key Admin Group.

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered

The Enterprise Key Admin group membership is required if you need to use Windows Hello for Business with ADFS and the Certificate Trust.
If you do not plan to use this, you can ignore the message and go on :)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.