Our organization ran an ADFS instance, but it was configured with a Service Account, not with a Group-Managed Service Account (gMSA), which is Microsoft’s recommendation for security reasons. I wanted to change it, without losing any of our configuration. The ADFSToolbox module didn’t seem to support a change to a gMSA, and I could find no supported way to backup our configuration (certificates, transformations, relying trusts) and restore them to a properly configured instance.

To start, my environment is 2 ADFS servers (Server 2019) running WID and ADFS Farm Behaviour 4.0.

I needed these tools:
ADFS Toolbox
Visual C+++ redistributable (2015-2019)
ODBC Driver 17
SQLCMD

I also referenced the ServiceAccount Module documentation on the old ADFS Toolbox site.

1. Create the gMSA you’re going to use, and configure it, including the altering the local security policy on both 2 ADFS servers.
   The gMSA needs rights to both Generate Security Audits and Log On As A Service.

2. Install Visual C++ on both ADFS servers

3. Install ODBC Driver 17 on both servers

4. Install SQLCMD on both servers

5. Install ActiveDirectory module for Powershell on both servers:
   Add Roles\Features > RSAT > Remote Administrator Tools > AD DS & AD LDS > AD for Powershell Module

6. Install ADFS Toolbox on both servers via. Powershell.
   Make sure Powershell is using TLS 1.2 before trying to install the ADFS Toolbox!

7. Import the ADFS Toolbox module on both servers:
   import-module adfstoolbox

8. Install AdfsServiceAccountModule on both servers:
   Import-Module "C:\Program Files\WindowsPowerShell\Modules\ADFSToolbox\2.0.17.0\serviceAccountModule\AdfsServiceAccountModule.psm1"

9. On the Primary ADFS server, add the GMSA account:
   add-AdfsServiceAccountRule -ServiceAccount adfs-gmsa$ -SecondaryServers adfs02.company.com

10. On the Secondary server, run: Update-AdfsServiceAccount
    When prompted, set the Operating Mode to #1 - Federation Server

11. On the Primary server, run: Update-AdfsServiceAccount
    When prompted, set the Operating Mode to #2 - Final Federation Server

12. The script errored out when trying to update the SPN.
    If necessary, delete the old SPN: setspn -D HOST/STS.COMPANY.COM DOMAIN\adfssvc
    Generate the new SPN: setspn -S HOST/STS.COMPANY.COM DOMAIN\ADFS-GMSA$

13. Start ADFSSRV service on Primary

14. Start ADFSSRV service on Secondary

15. Validate that the service is running properly under the new GMSA and that replication is occurring (Get-AdfsSyncProperties).

16. Remove the old service account information via. the Primary Server:
    remove-AdfsServiceAccountRule -ServiceAccount DOMAIN\adfssvc -SecondaryServers adfs02.COMPANY.com

17. Cleanup tools and powershell modules.

References

I derived this article from my Reddit posts on the matter:

Service Account to gMSA?

Service Account to GMSA - success!