Entra ID Secret Template for RPC

Overview

For setting up the password changer itself, see Configuring an Azure AD or Entra ID Password Changer

Introduction

This document briefly discusses using Secret Server Remote Password Changing (RPC) for Entra ID accounts. With RPC secrets can automatically change remote account passwords when a secret expires, either immediately or on a defined schedule. In addition, the new passwords’ strengths and other qualities are completely configurable. See the Password Changer List for a complete list of available password changers.

Secret Server has supported Azure AD remote password changing for several years, this overhaul creates a new password changer and template which use Oauth application credentials as a privileged account, to change a user password.

In July 2023, Microsoft rebranded Azure AD to Microsoft Entra ID to improve consistency with its other Entra cloud products.

Entra ID

Entra ID is Microsoft's cloud-based identity and access management (IAM) solution. Key points about Entra ID:

  • It is a directory and identity management service that operates in the cloud. It provides authentication and authorization services for various Microsoft services like Microsoft 365, Dynamics 365, and Microsoft Azure.

  • Entra ID enables a single sign-on experience for users, regardless of whether their applications are cloud-based or on-premises.

  • It offers multiple authentication methods including password-based, multi-factor, smart card, and certificate-based authentication.

  • Entra ID includes security features like Conditional Access policies, risk-based authentication, and identity protection.

  • Entra ID provides benefits to different members of an organization based on their roles. This can include giving IT admins control over app access, enabling developers to easily integrate single sign-on, and providing a unified identity management solution for Microsoft 365, Azure, and Dynamics 365 subscribers.

In summary, Entra ID is Microsoft's comprehensive cloud-based identity and access management solution that helps organizations securely manage identities and access across their Microsoft services and applications.

Template Benefits

  • Supports MFA

  • Does not require PowerShell

Creating an Entra ID Secret and Assigning it to Individual-Account Secrets

The following steps are meant for users who either utilize an App Registration created during Discovery or already know how to create a separate App Registration in Entra ID. This is a prerequisite to proceed and If you do not have this set up, see Entra ID Discovery to create and configure an App Registration in Entra ID.

To create a privileged secret and assign it to individual account secrets:

  1. Access Secrets > All secrets and create a secret of the Azure Application Registration type.

  2. Type in values for these fields:

    • Secret name

    • Client ID

    • Client Secret

    • Tenant ID

  3. Click Create secret.

  4. For each Entra ID user that corresponds to the above credentials, create a secret of the Entra ID User Account type.

  5. Type in values for the following fields:

    • Secret name

    • Username

    • Password

    • Domain and Notes are optional fields

  6. For Entra ID user accounts, heartbeat and password changing will only work if a privileged account of the Azure Application Registration Account type is set:

    1. Click the Remote Password Changing tab for the secret you just created.

    2. Click Edit under RPC / Autochange.

    3. Select the Privileged Account Credentials radio button for the Change Password Using option.

    4. Click No Secret Selected. A list of eligible Secrets appears.

    5. Select a secret with credentials that would have permissions over the user account. If no secrets appear, check that there are secrets of the Azure Application Registration type that are visible to the logged in user.

Until a privileged account is set, heartbeat and RPC options are unavailable and will fail if running automatically.