Create a Service Principal in an Azure Active Directory Domain Services Account

The BeyondTrust Vault can manage Azure AD Domain Services accounts. This requires a service principal. The service principal is required to discover and rotate Azure ADDS accounts.

Create a Registered App

Sign into Azure and connect to Azure AD tenant where you wish to manage passwords. Then follow these steps:

  1. On the left menu, select App registrations.
  2. Click + New Registration.

Azure register new application screenshot

  1. Under Name, enter a unique application name.
  2. Under Supported account types, select Accounts in this organizational directory only.
  3. Click Register.


  1. Select the new registered app from the list of Apps Registrations (if not already visible).

Azure create new secret screenshot

  1. Select Certificates & secrets from the left menu.
  2. Click +New Client Secret.
  3. Provide a Description and appropriate Expiry. If you select 1 or 2 years, the service principal must be refreshed in PRA/RS with a new client secret on the anniversary of its creation.


Azure add new secret screenshot

  1. Click Add.


Azure display client secret screenshot

  1. Create a copy of the client secret and store it in a safe place. This is the only time it is displayed. This is needed to add the account to the Vault.


Assign API Permissions to the Registered App

Browse to the application using App registrations in Azure Active Directory, and follow these steps:

  1. Select API Permissions from the left menu.

Azure add api permission screenshot

  1. Click + Add a permission.
  2. Click Microsoft Graph.
  3. Click Application Permissions.
  4. Search for User.ReadWrite.All and check it in the search results.


Azure request api permissions screenshot

  1. Search for Directory.Read.All and check it in the search results.
  2. Click Delegated Permissions.
  3. Search for Directory.AccessAsUser.All and check it in the search results.


Azure remove user read permission screenshot

  1. Click Add permissions.
  2. Remove the User.Read permission that is granted by default by clicking the ellipses menu and selecting Remove permission.


Azure grant admin consent for directory screenshot

  1. Click Grant Admin Consent for <directory name> to give consent to the app to have those permissions.


Assign Roles to the Registered App

Search Azure for Azure AD roles and administrators, and follow these steps:

Azure add roles to app screenshot

  1. Search for the role Privileged authentication administrator or User Administrator.
    • Privileged authentication administrator gives the application sufficient permissions to change most user and administrator passwords, including Global Admin.
    • User Administrator gives the application sufficient permissions to change most passwords, with the exception of Authentication Admin, Global Admin, Privileged Authentication Admin, and Privileged Role Admin.
  2. Click the Role or the ellipsis button for role and then click Description.
  3. On the left menu, click Assignments (if not already selected).
  4. Click + Add assignments.
  5. In the Search box, type the name of the registered app that was created earlier. Registered apps are not listed with users and can only be found this way.


Azure add assignment to role screenshot

  1. The previously created registered app is visible in the search results. Select it and click Add.


Using BeyondTrust Vault with Microsoft Azure Active Directory Domain Services Account requires both an Azure AD license and an Azure AD Domain Services license.

For information about assigning other roles, please see Azure AD built-in roles.