um
"It's important to frequently roll over the Kerberos decryption key of the AZUREADSSO computer account created in your on-premises AD forest.
We highly recommend that you roll over the Kerberos decryption key at least every 30 days."
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq