Create a Service Principal in an Azure Active Directory Domain Services Account

Managing Azure Active Directory Domain Services accounts requires a service principal, which is used to give BeyondTrust Vault permission to access Azure AD resources. The following guide describes how to create a new service principal in Azure for BeyondTrust Vault.

Create a Registered App

Sign into Azure and connect to the Azure AD tenant where you wish to manage passwords, then follow the steps below.

  1. On the left menu, click App registrations.
  2. Click + New Registration.
  3. Under Name, enter a unique application name
  4. Under Supported account types, Select Accounts in this organizational directory only.

Azure register new application screen

  1. Click Register.
  2. Select the new registered app from the list of Apps Registrations (if not already visible).


Azure create new secret screen

  1. Click Certificates & secrets on the left menu.
  2. Click +New Client Secret.
  3. Provide a Description and appropriate Expiry. If you select 1 or 2 years, the Service Principal must be refreshed in PRA/RS with a new client secret on the anniversary of its creation.


Azure add new secret screen

  1. Click Add.


Azure display client secret screen

  1. Create a copy of the client secret and store it in a safe place. This is the only time it is displayed. This is needed to add the account to the Vault.


Assign API Permissions to the Registered App

Browse to the application using App registrations in Azure Active Directory, and follow these steps:

  1. Click API Permissions on the left menu.

Azure add api permission screen

  1. Click + Add a permission.
  2. Click Microsoft Graph.
  3. Click Application Permissions.
  4. Search for User.ReadWrite.All and check it in the search results.


Azure request api permissions screen

  1. Search for Directory.Read.All and check it in the search results.
  2. Click Delegated Permissions.
  3. Search for Directory.AccessAsUser.All and check it in the search results.


Azure remove user read permission screen

  1. Click Add permissions.
  2. Remove the User.Read permission that is granted by default by clicking the ellipses menu and selecting Remove permission.


Azure grant admin consent for directory screen

  1. Click Grant Admin Consent for <directory name> to give consent to the app to have those permissions.


Assign Roles to the Registered App

Search Azure for Azure AD roles and administrators, and follow these steps:

Azure add roles to app screen

  1. Search for the role Privileged authentication administrator or User Administrator.
    • Privileged authentication administrator gives the application sufficient permissions to change most user and administrator passwords, including Global Admin.
    • User Administrator gives the application sufficient permissions to change most passwords, with the exception of Authentication Admin, Global Admin, Privileged Authentication Admin, and Privileged Role Admin.
  2. Click the Role or the ellipsis button for role and then click Description.
  3. On the left menu, click Assignments (if not already selected).
  4. Click + Add assignments.
  5. In the Search box, type the name of the registered app that was created earlier. Registered apps are not listed with users and can only be found this way.


Azure add assignment to role screen

  1. The previously created registered app is visible in the search results. Select it and click Add.


Using BeyondTrust Vault with Microsoft Azure Active Directory Domain Services Account requires both an Azure AD license and an Azure AD Domain Services license.

For information about assigning other roles, please see Azure AD built-in roles.