Configure Functional Account Requirements in Azure

Follow the steps below to set up Entra ID for use with BeyondTrustPassword Safe.

Accounts can be managed with or without multifactor authentication enabled in Azure.

Create Enterprise Application

  1. In Microsoft Azure, go to Enterprise Applications and select New application.

 

Select create your own application, under browse Entra Gallery.

  1. Select Create your own application.

 

  1. Name your application, select the application type (App you're developing) and click Create.

 

  1. Update the name if necessary, select the Supported Account Types (this directory only) and click Register.

 

Under properties, set toggles to no for assignment require and visible to user.

  1. Under Properties, disable Assignment required and Visible to users, and click Save.

 

Configure App Registration

Copy the Application (Client) ID and Directory (Tenant) ID from the Overview section.

  1. In Overview section, copy the Application (Client) ID and Directory (Tenant) ID. These are needed later to configure the Password Safe functional account.

 

Enable public client flows on the authentication screen.

  1. In the Authentication section, enable Allow public client flows, and click Save.

 

Add a new client secret, with a name and an expiry date.

  1. In the Certificates and secrets section, click New client secret. Enter the Description, an expiration date, and click Add.

 

The client secret value displays only once, after the new secret is added. Copy it for later use.

  1. Copy the secret Value. This is needed later to configure the Password Safe functional account.

The value is displayed only once, immediately after adding the new secret.

 

Add Microsoft Graph application permissions.

  1. In the API permissions section, add Microsoft Graph, and select type Application permissions.
  2. Add Microsoft Graph application permission UserAuthenticationMethod.ReadWrite.All, Domain.Read.All, Group.Read.All, and User.EnableDisableAccount.All.
  3. If User.Read is not already added, select Delegated permissions and add it.
  4. Click Add Permissions.

 

Grant admin consent to the API permissions, and confirm.

  1. Click Grant admin consent for for your organization, and click Yes on the confirmation message.

 

Under Roles and administrators, select the Helpdesk administrator role.

  1. From the main menu, select Roles and administrators, then select the Helpdesk administrator role.

 

The add assignments tab opens an add assignment panel where the app can be added to the role.

  1. Click Add assignments, then assign the application to the Helpdesk administrator role.

 

This completes configuration in Microsoft Azure. The remaining steps are done in BeyondTrust Password Safe.

BeyondTrust Password Safe Configuration

Create an Entra ID functional account in BeyondInsight.

  1. Go to Configuration > Privileged Access Management > Functional Accounts.
  2. Click Create New Functional Account.
  3. For the Entity Type, select Directory.
  4. For the Platform, select Microsoft Entra ID.
  5. Enter the Username in UPN format.
  6. Enter the previously saved values for the Application (Client) ID, Tenant ID, and Client Secret.
  7. Set the Alias.
  8. Click Create Functional Account.

 

Create a managed system for the functional account.

  1. Go to Managed Systems.
  2. Click Create New Managed System.
  3. For the Entity Type, select Directory.
  4. For the Platform, select Entra ID.
  5. Enter the Domain, select the Functional Account created above, and select the Account Name Format.
  6. Click Create Managed System.

 

Create the managed account manually.

The Managed Account can be created manually or by using a Smart Rule.

  1. Create the Managed Account manually.
    • Select the Managed System created above.
    • Click the vertical ellipsis at the right end of the row.
    • Select Create New Managed Account.
    • Enter the Username in UPN format, and enter ObjectId for the User and UPN.

 

Create the managed account using a smart rule.

  1. Create the Managed Account using a Smart Rule.
    • Accounts can be onboarded by using Group Name or UPN (starts with/ends with) filters.

For more information on using Smart Rules, please see Work with Smart Rules.