Authentication to Endpoint Privilege Management

Portal

Authentication for Endpoint Privilege Management is achieved through Azure B2B or Open ID Connect (OIDC). User permissions are managed through role-based access control, providing users with access to privileged features based on their role and corresponding privileges.

Azure B2B

Customers using Azure B2B are required to be part of an Entra ID instance. These users authenticate using existing corporate means, such as any MFA that is configured within their Entra ID instance. Customers have full control of the password policy, and BeyondTrust does not have any visibility of end-user credentials. For initial user login, an invitation is sent during the fulfillment process. As such, the first admin email address must be provided prior to deployment.

For customers who do not have Entra ID, we recommend that they federate their existing Identity Provider (IDP) with Entra ID to enable authentication via this method.

OpenID Connect

Endpoint Privilege Management provides support for OpenID Connect (OIDC) authentication. Administrators with privileged permissions in EPM can easily switch the authentication method of any customer from the default Azure B2B to OpenID Connect, or can update their existing OpenID Connect settings quickly and effortlessly, all without having to contact BeyondTrust Support.

EPM supports a range of OpenID authentication providers, including Microsoft Entra ID, Okta OpenID, and Ping Identity Connect.

Once a customer has switched from Azure B2B to OpenID Connect, there is no way to revert back to using Azure B2B.

Endpoints

Endpoints can be registered with EPM using installation keys for secure communication. Authentication for further interactions with other services is enabled via OAuth.