Using Platform Upgrade Center
Note: This feature is being rolled out automatically each month to a selection of Secret Server Cloud customers. If you'd like earlier access, contact your support or account team.
Overview
This documentation is for customers who are already using Secret Server Cloud and want the expanded capabilities of the Delinea Platform with a permanent upgrade.
How the Upgrade Works
The Delinea Platform becomes the login and user-management layer for Secret Server and the other products you access through it. Your vault does not move and your secrets are not copied — the Platform is a different door into the same warehouse. Your existing Secret Server Cloud URL continues to work and currently has no end-of-life date.
During the upgrade, every Platform user is mapped 1:1 to a Secret Server user, and the mapping must be between like-for-like identity sources: Active Directory users map to Active Directory users, Entra ID users to Entra ID users, and local users to local users. The federation settings, the order of the upgrade steps, and the source-matching requirements in this guide all exist to maintain that 1:1 like-for-like mapping. After the upgrade, all user, group, and role edits are made on the Platform (Access > Users/Groups/Roles), and the Platform reflects those changes into Secret Server.
Upgrade Benefits
The Delinea Platform seamlessly extends privileged access management across your company's hybrid, multi-cloud infrastructure. Adaptive controls help IT and cybersecurity teams rapidly meet compliance and reduce risk. The Delinea Platform delivers the following benefits:
-
Decrease Risk: Enhance your security posture by safeguarding privileged access from login to privilege elevation. Proactively address identity-related threats and misconfigurations.
-
More Easily Meet Compliance: Adaptive authorization controls and unified auditing simplify the enforcement and demonstration of compliance requirements.
-
Centralize Control: Manage privileged access across shared credentials and all identities spanning data, applications, cloud, and traditional infrastructure.
-
Scale Your PAM Program: Use the Delinea Platform secure cloud-native architecture to mature your organization through seamless adoption of privilege controls and shared capabilities.
-
Realize Fast ROI: Benefit from wizard-driven setup, configuration, and workflows that are easy to adopt.
-
Benefit from Cloud-Native Resilience: Experience 99.99% uptime.
Learn more about the Delinea Platform and its shared service capabilities.
What Changes
Once the upgrade is complete, the Platform and Secret Server run with unified administration. Role and permission management transfers to the Platform and becomes read-only in Secret Server. Roles are not synchronized back from the Platform to Secret Server — any roles and permissions visible in Secret Server apply only to accounts that exist exclusively in Secret Server.
New roles and role changes made on the Platform do not appear in the Secret Server interface, even though they take effect when users log in through the Secret Server URL. If a role change does not appear to take effect in Secret Server, verify the change in the Platform under Access > Roles.
Users do not appear on the Platform's list of users until they log in to the Platform URL for the first time. From that point on, they log in through the Platform rather than through Secret Server. We strongly recommend having all users log in to the Platform to access Secret Server soon after the upgrade.
What Stays the Same
When Secret Server and the Delinea Platform are integrated, secrets work the same way on the Platform that they always worked on Secret Server. The integrated systems share secrets and pinned folders, as well as administrative privileges, permissions, and access settings.
Secret Server Cloud customers keep everything they know and use today with no disruption to their secrets, workflows, files, or permissions:
-
All secrets, data, and permissions remain intact and accessible.
-
No downtime or disruption to service is expected during the upgrade. The shift to using the Platform exclusively is managed by the customer, including user communication and internal change management.
-
All integrations remain configured.
-
All customizations remain intact.
-
UI differences are minimal.
-
All historical data and audit trails remain visible.
-
All functionality and features you currently have are retained.
-
Your current SLA remains in effect.
-
Your Secret Server SSO remains intact, but you must set up a new SSO integration on the Platform.
-
You can use an existing Web Password Filler (WPF) browser extension to authenticate to the Platform. However, we recommend installing the Credential Manager browser extension to manage passwords, which replaces WPF. See Credential Manager for instructions.
-
If you have a Resilient Secrets replica in the cloud, do not upgrade it.
See this demonstration showing how users can log in to the Delinea Platform and access Secret Server.
About Session Connector
Session Connector continues to work after the Platform upgrade. Session Connector requires Application Accounts created directly in Secret Server — Platform Service Users cannot be used for this purpose. After upgrading to the Platform, existing Secret Server Application Accounts used by Session Connector continue to function as long as they remain in Secret Server.
If you are creating new Session Connector configurations after the upgrade, create the Application Account directly in Secret Server (accessible from the Platform's left-side navigation). For setup instructions, see the Session Connector documentation.
Before You Begin
Before you begin the walk-through demonstration of the Platform Upgrade Center, ensure that Platform Upgrade Center is enabled in Secret Server Cloud by selecting Settings > Platform Upgrade Center. If you can navigate to Platform Upgrade Center, it is enabled on your tenant. If you cannot navigate to it, ensure the following permissions are assigned to the Secret Server Admin role (see Secret Server Permissions):
-
Administer Platform Integration
-
View Platform Integration
-
Migrate Data to Platform
Upgrade Steps
Step 1: Provision a Platform Tenant
Note: Most Secret Server Cloud customers can access the Platform Upgrade Center by default. If you cannot access it, contact your <tenant>.secretservercloud.com/ConfigurationAdvanced.aspx and setting the Delinea Platform Enablement Code to BETTERTOGETHER, then saving. Navigate to Settings > Platform Upgrade Center to confirm access. See Before You Begin if the menu item does not appear.
Warning: The steps below correspond to a walk-through demonstration of the Platform Upgrade Center. We strongly recommend walking through the demonstration as you create a new Delinea Platform tenant and log in. Optional steps are not documented here.
During this process, provide a tenant name that matches your Secret Server Cloud tenant name. For example, if Secret Server Cloud is named Alpha1.secretservercloud.com, your Platform tenant is named Alpha1.delinea.app.
The default region matches your Secret Server Cloud region. If your tenant is in the United States (US), the Platform is also hosted on the US Cloud.
Note: The initial Platform administrator is named cloudadmin@[tenantname]. All processes in this document must be completed by that cloudadmin user. The cloudadmin receives the same Secret Server permissions as the user provisioning the Platform tenant, plus additional Platform Administrator permissions on the Delinea Platform.
Once tenant setup is complete, click Launch Platform. The process automatically logs you in to the Delinea Platform and prompts you to update the cloudadmin account password. Remember the password you set.
After you log in with your new password, navigate to Platform Upgrade Center from the Platform to begin Step 2: Secure Access.
If your current Secret Server Cloud tenant has branding customizations, this step copies those customizations to your Delinea Platform tenant.
Step 2: Secure Access
Warning: Identity policy changes can lock all accounts — including administrators — out of the tenant. Before logging out after any login-affecting change, verify that you can still log in from a fresh private or incognito browser window. For full guidance, see Identity Policies.
On the Platform, user security and login configurations are managed by Identity Policies. If you configure one or more Active Directories using the AD Connector, an Allow List identity policy is required. Although a default policy provides baseline configuration, tailor it to your organizational requirements.
An Allow List identity policy is created automatically in tenants where Active Directory synchronization is used and where the default Platform policies have not yet been modified. The Allow List identity policy mirrors the default policy but is scoped to a specific group membership so that only the specified users can authenticate to the Platform.
Once the membership and configuration of the Allow policy is validated, a Deny policy is also automatically created. This Deny policy blocks access for any users who do not meet the new policy criteria.
Adding users to the "Secret Server Directory Users" group permits them to access the Platform. All existing users and any synchronized users are added to this group where it exists.
To configure these policies manually, see Manual Policy Configuration. Manual configuration is not typically needed.
Step 3: Connect Domains
In this step, install an AD Connector in each forest containing any Active Directory domain currently synchronized with Secret Server.
Basic requirements for Installing the Delinea AD Connector:
-
Windows Server 2019 or newer
-
No outbound SSL inspection
-
Domain-joined to a domain in the forest
Additional notes:
-
Provision an appropriate server to run the connector. You can use the same server running the Distributed Engine, but minimum requirements differ.
-
Directory integration on the Platform works differently than in Secret Server — it creates a connection to the directory for live querying on demand.
-
Configure the connector to migrate Active Directory users or groups for each forest from which Secret Server users are synchronized.
-
If you have no AD domains configured in Secret Server, this step completes automatically and displays: No Active Directory Domains configured in Secret Server and no connectors are required.
Note: Steps 4 and 5 are required only if you are setting up SAML SSO authentication. Otherwise they are optional.
Step 4: Connect Entra ID Tenants
Configure Entra ID on the Delinea Platform to upgrade any Entra ID Directory Services from Secret Server.
This step sets up an Entra ID API integration on the Delinea Platform. It ensures the Platform is configured to handle each Entra ID tenant that Secret Server is currently using for directory synchronization.
An application registration manages OAuth/OIDC integrations with other platforms. It enables the Delinea Platform to securely connect with third-party integrations such as Entra ID. This registration enables the Platform to authenticate and interact with external systems while maintaining security and compliance standards.
Note: When you enable Log-in to Entra ID on the registered app, the Platform configures SAML as the default login protocol and generates a federation provider automatically. You do not need a separate SAML federation provider. If your organization prefers OIDC, navigate to Settings > Federation Providers, open the generated provider, and change the protocol to OIDC. See Entra ID API Integration for setup steps.
The Platform provides two options. Choose one:
-
Creating a Platform-managed app. Recommended if you prefer to configure the Entra ID integration entirely within the Delinea Platform and let Delinea handle creation and management of the necessary Azure components.
-
Creating a customer-managed registered app. Suitable if you prefer to maintain full control over the upgrade and manage Azure resources yourself.
For required roles, see Entra ID API Integration .
-
Click Start. The interface identifies any Entra domain configured in Secret Server that is not yet connected to the Platform.
-
Click Configure Entra ID to navigate to the Entra ID configuration page on the Platform. Complete the upgrade as described in Entra ID API Integration.
-
Return to the Platform Upgrade Center and click Refresh to confirm that the Entra ID tenant is now connected.
-
Mark the step complete and proceed to the next step.
Step 5: Set Up Federation
Warning: A newly created federation provider defaults to Optional user mapping. This default is not appropriate for organizations upgrading from Secret Server: it allows users to log in without mapping to an existing Secret Server identity, creating a second source of user and group information. Always set the mapping option to Required and configure Create local user if unable to map as described below. Misconfigured mapping is the most common cause of the group-overwrite failure described in Troubleshooting.
In this step, configure your federation providers for single sign-on (SSO). Every Platform user must map 1:1 to a Secret Server user from the same kind of identity source — see How the Upgrade Works for the full like-for-like mapping rule. Configure federation providers following the guides in SAML and OIDC Federation. Apply the settings below based on your identity source:
-
Active Directory users: Set the mapping option to Required and ensure Create local user if unable to map is disabled. These settings prevent login unless the user exists in the domain, and ensure the Platform has access to all associated data such as group membership and enabled state.
-
Non-domain users: If the federation source is for users not currently associated with a domain in Secret Server, set the mapping option to Required and ensure Create local user if unable to map is enabled. These settings create all users as Delinea Platform Directory users rather than Federated Directory users, which assists the migration process.
-
Add all UPN suffixes or login domains to the list of domains at the bottom of the federation configuration. This determines which usernames trigger redirection to this identity provider (IdP), and which domain connectors are used for finding domain users.
When all required IdPs are configured on the Platform, manually mark the step as complete.
Step 6: Synchronize Data
Check and synchronize Secret Server users, groups, and roles into the Delinea Platform Identity Store.
The Upgrade Center moves the data required for the Platform to correctly associate, map, and authenticate local users, facilitating an enhanced login experience on the Delinea Platform.
Simple Mode and Advanced Mode
The Synchronize Data step offers two modes: Simple Mode and Advanced Mode.
Simple Mode
Simple Mode is the default when there are no pre-check errors and no prior synchronizations. It provides a streamlined, one-click process that synchronizes all users, groups, and roles to the Delinea Platform at once. Simple Mode is functionally equivalent to selecting all groups and synchronizing in Advanced Mode, and includes TOTP configuration.
To use Simple Mode, click Start. The interface displays the total count of items to synchronize for each type (users, groups, roles), and progress bars track the synchronization of each. When synchronization completes without errors, the step is marked as complete.
Note: If an error occurs during a Simple Mode synchronization, the step automatically switches to Advanced Mode and disables the mode toggle. Review the errors in detail and address them individually before re-running the synchronization.
Advanced Mode
Advanced Mode provides full controls for selectively synchronizing groups, reviewing pre-check results, and managing exclusions.
Note: When in Advanced Mode, migrate a small number of users first and validate the process and user functionality before migrating larger batches.
Advanced Mode is used automatically in the following situations:
-
Pre-check errors are detected in your environment.
-
A synchronization has already been run (whether from Simple Mode or Advanced Mode).
-
An error occurred during a Simple Mode synchronization.
In any of these cases, the mode toggle is disabled and the step remains in Advanced Mode.
Switching Between Modes
When the mode toggle is enabled (no pre-check errors and no prior synchronizations), you can switch between Simple Mode and Advanced Mode freely. The Ready to Start text updates to reflect the selected mode. Once a synchronization begins in either mode, or if pre-check errors are present, the toggle is disabled and cannot be changed.
When targeting local groups for migration, the following data is copied into the Platform Identity Service:
Secret Server Roles
All roles in Secret Server are copied into the Platform database, prepended with Secret Server. For example, the Administrator built-in role in Secret Server becomes the Secret Server Administrator role on the Platform.
Local Users
Users are copied from Secret Server Cloud into the Delinea Platform, including the password hash, so they can log in to the Platform with their existing Secret Server username and password. Thycotic One users are invited to the Delinea Platform to set a password for their account.
Local Groups
New Platform groups are created with the same name as the existing Secret Server groups, and membership is updated to match. These groups are set to Managed by Platform and become read-only in Secret Server.
Associations Between Local Groups and Domain Users with the AD Connector
All domain users that belong to upgraded groups are looked up in the domain via the AD Connector, and an association is made to the user in Secret Server. When Secret Server needs information about the user, it requests it from the Platform. Once the user logs in, the Platform associates them with the group.
Associations Between Local Groups and Secret Server Roles
Any Secret Server group selected for migration becomes a member of the Platform role associated with the Secret Server role attached to that group. For example, a Break-Glass Admins group that is currently a member of the Administrator role in Secret Server becomes a member of the Secret Server Administrator role on the Platform.
Before and after migrating a group, users and groups remain unchanged in Secret Server, aside from new metadata that provides information on looking up those objects in the Platform.
At this point, users can authenticate to either Secret Server or the Delinea Platform, with equivalent access and experience aside from minor UI differences.
Migrate a small number of users first and validate the process before migrating larger batches.
Step 7: Complete the Upgrade
This is the final step for unifying management after all local users, groups, roles, and permissions have been copied to the Delinea Platform.
In this step, you transfer management of roles and permissions to the Delinea Platform as the authority.
Role and permission management in Secret Server changes to read-only. Users and groups are fully orchestrated by the Platform, and any updates to Platform objects (user details, membership changes, and so on) are reflected in Secret Server.
The diagram below shows the information flow once this step is completed.
Figure: Information flow after completing the upgrade
After completing this step, disable User Synchronization in Secret Server's Directory Services configuration. The Delinea Platform is now the single live source for user, group, and role information; leaving Secret Server's directory synchronization enabled creates a second source and can cause the group-membership conflicts described in Troubleshooting.
Note: [NEEDS CONFIRMATION: Confirm the exact steps to disable User Synchronization in Secret Server Directory Services — for example, Admin > Directory Services > [domain name] > Edit > disable synchronization. Verify the precise UI path before publishing and replace this placeholder with numbered steps.]
After this step, we strongly recommend having all users log in via the Delinea Platform and access Secret Server from there. See this demonstration.
Troubleshooting Group Sync
Platform Group Sync Overwrites Secret Server Groups Every Four Hours
This issue affects Secret Server customers who opted in to the Delinea Platform with federated directory users on the Platform and all of the following configured and working:
-
Active Directory synchronization
-
The AD Connector
-
Group mapping
Symptoms:
-
Secret Server users are stripped of their group memberships.
-
The administrator receives the error: No internal user found for mapping the external user.
Root cause: Federation providers were left at the default Optional user mapping setting. This allows federated users to log in without matching an existing directory user, which triggers group overwrites on every sync cycle. To prevent this issue, follow the mapping settings in Step 5: Set Up Federation.
Resolution:
-
Remove all federated users from the Platform.
-
Navigate to the Users page.
-
Select the box next to a user from a federated directory.
-
Click Delete at the top right of the page.
-
Repeat steps b and c until all federated users are deleted.
-
-
Set user mapping to Required on each federation provider.
-
Reset user mappings.
The next time those federated users log in to the Platform, they should no longer experience group issues.
What to Do Next
Now that you are fully integrated into the Delinea Platform, you can leverage the following applications:


