Configure Active Directory Connectors

Configure Active Directory (AD) connectors to discover AD groups in your estate. The Policy Editor queries the Active Directory to populate the group information when adding account filters or designated users.

There are two connector types:

  • Microsoft Entra ID: Searches for Entra ID groups.
  • Local AD: Searches for groups in the local Active Directory environment.

Add an AD connector in Account Filters workstyle in EPM Policy Editor.

After the connectors are set up, the Policy Editor can discover and read information from the Active Directory source. The screen capture shows an example when adding an account filter for a workstyle.


A standard user requires delegated access to the Active Directory Settings page. For more information, see Review EPM Roles.

Add the Microsoft Entra ID Connector

You must create an app registration in Azure before you can configure the Microsoft Entra ID connector here. There can only be one Microsoft Entra ID connector per PMC instance.

  1. Go to Configuration > Active Directory Settings.
  2. Select the Microsoft Entra ID tab, and then select Enable Microsoft Entra ID Integration.
  3. Add the tenant ID and client ID.
  4. Select an authentication method. This depends on the app registration details you configured.

For more information, see Register an Azure Tenant.

Monitoring Entra ID

Microsoft Entra ID health monitoring in Endpoint Privilege Management for Windows and Mac

On the Microsoft Entra ID tab, you can confirm if the integration with Entra ID is working correctly.

  • Monitoring and health indicators help you to respond to issues as they occur.
  • Synchronizing the Policy Editor group index and group membership ensures group information is accurate and current.


Set up the Local AD Connector

Create an on-premises local Active Directory connector that can be queried from the Policy Editor. Adding a local directory makes it easier to add Active Directory users and groups to a policy.

  • You must set up one connector for each local Active Directory.
  • The connector installation is a Windows service installed to the endpoint. The endpoint requires access to the local directory.
  • After the connector is installed and active, the connector is discoverable and available for use.
  • If you disable a connector, then the Policy Editor can no longer query Active Directory.
  • When deleted, the connector is no longer available in the console and must be reinstalled to be available for queries.

To install the local AD connector:

  1. Go to Configuration > Adapter Installation to download the connector.
  2. On the same page, click the AD Connector button to include the connector in the installation string.
  3. After the download is complete, go through the installation wizard to complete the installation.
  4. After the connector is installed, go to Configuration > Active Directory Settings, and select the Local AD tab.
  5. You can edit properties for the connector. The host name is the computer name where the connector is installed; this cannot be changed. You can, however, add a name that is more meaningful.
  6. After saving the connector properties, select the connector menu, and then select Enable Connector. The connector must be enabled before it can query the local AD environment.