Create a Service Principal in an Azure Active Directory Domain Services Account
The BeyondTrust Vault can manage Azure AD Domain Services accounts. This requires a service principal. The service principal is required to discover and rotate Azure ADDS accounts.
Create a Registered App
Sign into Azure and connect to Azure AD tenant where you wish to manage passwords. Then follow these steps:
- On the left menu, select App registrations.
- Click + New Registration.
- Under Name, enter a unique application name.
- Under Supported account types, select Accounts in this organizational directory only.
- Click Register.
- Select the new registered app from the list of Apps Registrations (if not already visible).
- Select Certificates & secrets from the left menu.
- Click +New Client Secret.
- Provide a Description and appropriate Expiry. If you select 1 or 2 years, the service principal must be refreshed in PRA/RS with a new client secret on the anniversary of its creation.
- Click Add.
- Create a copy of the client secret and store it in a safe place. This is the only time it is displayed. This is needed to add the account to the Vault.
Assign API Permissions to the Registered App
Browse to the application using App registrations in Azure Active Directory, and follow these steps:
- Select API Permissions from the left menu.
- Click + Add a permission.
- Click Microsoft Graph.
- Click Application Permissions.
- Search for User.ReadWrite.All and check it in the search results.
- Search for Directory.Read.All and check it in the search results.
- Click Delegated Permissions.
- Search for Directory.AccessAsUser.All and check it in the search results.
- Click Add permissions.
- Remove the User.Read permission that is granted by default by clicking the ellipses menu and selecting Remove permission.
- Click Grant Admin Consent for <directory name> to give consent to the app to have those permissions.
Assign Roles to the Registered App
Search Azure for Azure AD roles and administrators, and follow these steps:
- Search for the role Privileged authentication administrator or User Administrator.
- Privileged authentication administrator gives the application sufficient permissions to change most user and administrator passwords, including Global Admin.
- User Administrator gives the application sufficient permissions to change most passwords, with the exception of Authentication Admin, Global Admin, Privileged Authentication Admin, and Privileged Role Admin.
- Click the Role or the ellipsis button for role and then click Description.
- On the left menu, click Assignments (if not already selected).
- Click + Add assignments.
- In the Search box, type the name of the registered app that was created earlier. Registered apps are not listed with users and can only be found this way.
- The previously created registered app is visible in the search results. Select it and click Add.
Using BeyondTrust Vault with Microsoft Azure Active Directory Domain Services Account requires both an Azure AD license and an Azure AD Domain Services license.
For information about assigning other roles, please see Azure AD built-in roles.