Recently, while configuring Entra Kerberos Trust again, I was reminded how unnecessarily fragmented the available guidance still is: none of the existing articles are wrong, but almost all of them focus on isolated steps or background explanations, which makes it surprisingly tedious to piece together the actual implementation flow even if you already know the use case and have done it before; I found myself jumping between multiple sources just to confirm the correct order of operations and the exact commands required, which is exactly what this post aims to avoid. The goal here is not to explain concepts or justify design decisions, but to provide a single, concise reference that shows the full configuration path in one place, with no surplus text, no theory, and no detours — something you can come back to in six months and get productive again in minutes, not hours, when setting up Entra Kerberos Trust in Microsoft Entra ID.
First Run this script from a Domain Controller:
# 1. Install the correct module for Entra Kerberos/Cloud Trust
Install-Module -Name AzureADHybridAuthenticationManagement -Force
# 2. Import the module
Import-Module AzureADHybridAuthenticationManagement
# 3. Publish the Kerberos Server Object
# NOTE: This command handles its own authentication. It will pop up a login window
# for Entra ID (Global Admin) and ask for on-prem Domain Admin creds if not elevated.
Set-AzureADKerberosServer `
-Domain "contoso.com" `
-UserPrincipalName "ad***@*****so.com"Then configure the following configuration policies in Intune (machine-deployed)
You need a total of 2 policies:
Windows Hello for Business – Required OMA-URI Settings
Configured as a Configuration Policy -> Windows 10 and later -> Templates -> Custom.
| Name | OMA-URI | Type | Value |
|---|---|---|---|
| UsePassportForWork | ./Device/Vendor/MSFT/PassportForWork/Enabled | Boolean | True |
| UseCloudTrustForOnPremAuth | ./Device/Vendor/MSFT/PassportForWork/CloudTrust/Enabled | Boolean | True |
| RequireSecurityDevice | ./Device/Vendor/MSFT/PassportForWork/RequireSecurityDevice | Boolean | True |
2. Kerberos – Cloud Ticket Retrieval
Configured via Configuration Policy -> Windows 10 and later -> Settings catalog:
- Category: Kerberos
- Cloud Kerberos Ticket Retrieval Enabled: Enabled
Verify Kerberos Ticket on the Client
On an Entra-joined Windows device, sign in using Windows Hello for Business, then access any on-premises Kerberos-protected resource (for example a file share):
\\fileserver.contoso.com\share
After access succeeds, open an elevated command prompt or PowerShell session and run:
klist
You should see one or more Kerberos service tickets (TGS) for the accessed resource, with the ticket issued without the device being domain-joined. The presence of a valid Kerberos ticket after successful access confirms that Microsoft Entra ID Kerberos ticket retrieval is working; if no ticket is present, the client did not obtain a Kerberos ticket and the trust or Intune configuration should be reviewed.
