Rotate Privileged Credentials Using BeyondTrust Vault

It is a security best practice to rotate or change privileged credentials frequently. With BeyondTrust Vault, you can choose to set imported domain credentials to automatically rotate after each use, or you can manually rotate credentials at any time. Two actions trigger the automatic rotation of domain credentials:

  • Manually checking in a credential from the /login interface.
  • Leaving a support session where credential injection has been used.

Local accounts cannot be automatically rotated and require manual rotation from /login.

Rotate Domain and Local Credentials Manually

  1. From the /login interface, go to Vault > Accounts.
  2. Screenshot of the Accounts section with the Rotate Password option highlighted.

  3. Locate the account you wish to rotate.
  4. Click the ellipse and then select Rotate Password.

Once rotation is complete, the Password Age information updates with a timestamp of "a few seconds".

Configure Automatic Rotation of Domain Credentials

  1. From the /login interface, go to Vault > Accounts.
  2. Locate the domain account you wish to automatically rotate.
  3. Click the ellipse and then select Edit.
  4. Screenshot of the Domain Account > Edit section highlighting the Automatic Rotation option.

  5. From the edit screen, check Automatically Rotate Credentials.
  6. Click Save.

After each use, the account will automatically rotate.


For more information, please see Discover Domains, Accounts, and Endpoints.