Entra ID Secret Template for RPC

Overview

For setting up the password changer itself, see Configuring an Azure AD or Entra ID Password Changer

Introduction

This document briefly discusses using Secret Server Remote Password Changing (RPC) for Entra ID accounts. With Remote Password Changing (RPC), secrets can automatically change remote account passwords when a secret expires, either immediately or on a defined schedule. In addition, the new passwords’ strengths and other qualities are completely configurable. See the Password Changer List for a complete list of available password changers.

Secret Server has supported Azure AD remote password changing for several years, this overhaul creates a new password changer and template which use Oauth application credentials as a privileged account to change a user password. In July 2023, Microsoft rebranded Azure AD to Microsoft Entra ID to improve consistency with its other Entra cloud products.

Entra ID

Entra ID is Microsoft's cloud-based identity and access management (IAM) solution. Key points about Entra ID:

  • It is a directory and identity management service that operates in the cloud and provides authentication and authorization services for various Microsoft services like Microsoft 365, Dynamics 365, and Microsoft Azure.

  • Entra ID enables a single sign-on experience for users, regardless of whether their applications are cloud-based or on-premises.

  • It offers multiple authentication methods including password-based, multi-factor, smart card, and certificate-based authentication.

  • Entra ID includes security features like Conditional Access policies, risk-based authentication, and identity protection.

  • Entra ID provides benefits to different members of an organization based on their roles, such as giving IT admins control over app access, enabling developers to easily integrate single sign-on, and providing a unified identity management solution for Microsoft 365, Azure, and Dynamics 365 subscribers.

In summary, Entra ID is Microsoft's comprehensive cloud-based identity and access management solution that helps organizations securely manage identities and access across their Microsoft services and applications.

Template Benefits

  • Supports MFA

  • Does not require PowerShell

Creating an Entra ID Secret and Assigning it to Individual-Account Secrets

To create a privileged secret and assign it to individual account secrets:

  1. Create a secret of the “Azure Application Registration” type.

  2. Enter values for these fields:

    • Tenant ID

    • Client ID

    • Client Secret

  3. Save the secret.

  4. For each Entra ID user that corresponds to the above credentials, create a secret of the "Entra ID User Account" type.

  5. Type in the following fields:

    • Username

    • Password

  6. For Entra ID user accounts, heartbeat and password changing will only work if a privileged account of the "Azure Application Registration Account" type is set. To set that:

    1. Click the Remote Password Changing tab for the secret.

    2. Click Edit under RPC/Autochange.

    3. Select Privileged Account Credentials on the Change Password Using selection button.

    4. Click “No Secret Selected”. A list of eligible Secrets appears.

    5. Select a Secret with credentials that would have permissions over the user account. If no secrets appear, check that there are secrets of the Azure Application Registration type that are visible to the logged in user.

Until a privileged account is set, heartbeat and RPC options are unavailable and will fail if running automatically.