Rotate Privileged Credentials Using BeyondTrust Vault for Privileged Remote Access

It is a security best practice to rotate or change privileged credentials frequently. With BeyondTrust Vault, you can choose to set imported domain credentials to automatically rotate after each use, or you can manually rotate credentials at any time. Two actions trigger the automatic rotation of domain credentials:

  • Manually checking in a credential from the /login interface.
  • Leaving a access session where credential injection has been used.

Local accounts cannot be automatically rotated and require manual rotation from /login.

Rotate Domain and Local Credentials Manually

Screenshot of the BeyondTrust PRA /login header navigation highlighting Vault > Discovery.

  1. From the /login interface, go to Vault > Accounts.
  2. Screenshot of the Accounts section highlighting the Rotate Password option for a credential.

  3. Locate the account you wish to rotate.
  4. Click ....
  5. Click Rotate Password.

Once rotation is complete, the Password Age information updates with a timestamp of "a few seconds".

Configure Automatic Rotation of Domain Credentials

Screenshot of the /login header navigation highlighting Vault > Accounts.

  1. From the /login interface, go to Vault > Accounts.
  2. Locate the domain account you wish to automatically rotate.
  3. Click ....
  4. Screenshot of the Domain Account :: Edit section highlighting the Automatically Rotate option.

  5. Click Edit.
  6. From the edit screen, check Automatically Rotate Credentials.
  7. Click Save Changes.

After each use, the account will automatically rotate.

The Automatically Rotate Credentials setting is not available for local accounts.


For more information, please see Discover Domains, Accounts, and Endpoints.