Use BeyondTrust Vault with Microsoft Azure Active Directory Domain Services Account

Administrators can use Vault to discover and manage Azure AD Domain Services accounts. Managing Azure AD Domain Services accounts requires a service principal, which is defined under the relevant domain in the Vault section of the /login interface.

A service principal must be created in Azure before you can add it to the BeyondTrust Vault. Information such as the client secret is obtained from Azure when you create the service principal.

Vault cannot be used with Azure domain controllers other than Azure Active Directory Domain Services.

Discovery job results showing accounts with note "Azure AD Managed" in the Status Column, as well as red note "No Service Principal."

Discovery job results identify Azure AD Managed accounts in the Status column, as well as whether or not the service principal has been added. When the Status displays No Service Principal, the account cannot be selected for import.


For more information on creating a service principal in Azure, please see Create a Service Principal in an Azure Active Directory Domain Services Account.

Add or Edit a Service Principal

Adding or editing a service principal can be done before a discovery job, or after a discovery job has identified accounts that require a service principal.

  1. From the /login interface, navigate to Vault > Domains.
  2. Scroll down to Microsoft Azure AD Service Principals and click +Add.
    • Service principals already added can be edited by clicking the pencil icon at the right end of the row.
    • To delete a service principal, click the trash can icon at the right end of the row. The deletion request must be confirmed.

Deleting a service principal deletes all associated accounts.

Mandatory and optional fields for adding an Azure AD Service Pincipal

  1. Enter the mandatory information:
    • Domain Name
    • Tenant ID
    • Client ID
    • Client Secret
  2. If desired, enter a name to easily identify the service principal.
  3. The service principal can be disabled. This does not remove it, but no actions, such as rotation, can be taken with the account. In the list of discovery results, the account Status is Service Principal Unavailable and Disabled.
  4. Click Save. Service principal details are validated against the details in your Azure tenant.
    • If adding the service principal is successful, the new service principal displays in the list of domains, with the status OK.
    • If adding the service principal fails, the status is Disabled and Failed. Click the pencil icon to return to the edit screen, and review the detailed error message.


  1. Run a discovery job again. In the list of results, the account Status is still Azure AD Managed, but the No Service Principal note does not display. The account can now be selected for import.

If the account is a shadow account, the Status displays "Externally Sourced," and the account is not available for import.

  1. If you have multiple domains for the Azure AD Domain Services instance, repeat the process of adding a service principal for each domain.

On the edit screen for an imported Azure AD account, Azure Active Directory Managed displays at the bottom of the screen.

Rotation, credential injection, and other actions are managed as for other accounts.

Using BeyondTrust Vault with Microsoft Azure Active Directory Domain Services Account requires both an Azure AD license and an Azure AD Domain Services license.