Configuring an Azure AD or Entra ID Password Changer

The built-in templates use Microsoft Graph in Entra ID (Azure AD). The password changer works based on a combination of items including:

  • Entra ID tenant ID.
  • Client ID (originates from an app registration in Azure AD or Entra ID).
  • Client secret (originates from an app registration in Azure AD or Entra ID).
  • Username of the managed user in UPN format (username@domain).
  • Password of the managed user.
  • New password of the managed user generated by the Secret Server password changer.

The built-in templates are designed to perform the password change as the application registration itself, in order to facilitate managing MFA-protected accounts. The heartbeat functionality is designed for both MFA and non-MFA protected accounts using error-handling logic.

The authentication flow is based on the resource owner password credentials grant flow. This flow is not recommended for regular use but is being used in this case because the script is designed to run as a service account, and the user account being interacted with is managed by secret-server. For password changing and validation, the actual account credentials are acquired without human interaction. This enables the script to manage accounts that are also protected with MFA.

Requirements

See Minimum Permissions for Entra ID RPC for information on the required permissions.

  • A valid Entra ID tenant.

  • A dedicated app registration for the password changer:

  • The username should be stored in UPN format (username@domain.com) for the password changer to function.

  • User Administrator permissions are needed to configure Entra ID RPC.

Task 1: Creating an App Registration

The application registration provides the password changer with the permissions to perform the password change. The following steps are required to create the application registration:

  1. Log into the Entra ID or Azure AD Portal (https://portal.azure.com).

  2. Navigate to Microsoft Entra ID.

  3. Navigate to App Registrations.

  4. Click New Registration.

  5. Provide a name for the application registration. You will need this name later in the instruction.

  6. Select the account type (single tenant or multi-tenant).

  7. Optionally, provide a redirect URI.

  8. Click Register. Make note of the application (client) ID, which is required when creating the corresponding secret in secret-server.

  9. While still on the App Registration page, navigate to Manage > Certificates & Secrets.

  10. Click New Client Secret.

  11. Provide a description for the client secret.

  12. Select an expiration date.

  13. Click Add.
    Make note of the client secret value, which is required when creating the corresponding secret in Secret Server.

  14. Navigate to API Permissions.

  15. Check if the following API permission is assigned: User.Read. If not assigned add the permission by:

    1. Clicking Add a Permission.

    2. Selecting Microsoft Graph.

    3. Selecting Delegated Permissions.

    4. Choosing the User.Read permission.

  16. Click on Grant Admin Consent for the respective tenant button. This completes the creation of the application registration.

Task 2: Providing the Password Changer App the Permissions to Manage Users

See Minimum Permissions for Entra ID RPC for more on this topic.
  1. If necessary, log into the Azure Portal (https://portal.azure.com)
  2. Navigate to Microsoft Entra ID.
  3. Navigate to Manage > Roles and Administrators.
  4. In the search bar, search for the role (such as Global Administrator). We recommend the Privileged Authentication Administrator role.
  5. Click the role name in the resulting list.
  6. Click Add Assignments.
  7. Search for and select the previously created application registration.
  8. Click Add.

Task 3: Creating an Azure App Registration Secret in secret-server

  1. Log into secret-server or platform.

  2. Navigate to Secrets.

  3. Click Create Secret.

  4. Select the template to store the application registration information (Azure Application Registration).

  5. Fill out the required fields with the information from the application registration:

    • Secret Name (for example, Delinea Entra ID Password Changer).
    • Client ID.
    • Client Secret, which you created earlier when creating the app registration (recorded in an task earlier step).
    • Tenant ID, which you can retrieve from Entra ID, specifically, the Directory (tenant) ID property.
    • Application ID, can be added to the notes for reference. You can retrieve this ID from the Application Registration > Application (client) ID (noted down in an task earlier step).

  6. Click Create Secret.

Task 4: Associating the Privileged Account with the Entra ID Account Secret

To correctly use the password changer, the privileged account must be associated with the Entra ID User Account secret:

  1. Log into secret-server or platform.
  2. Navigate to Secrets.
  3. Locate your secret(s) based on the Entra ID User Account template.
  4. Click on the secret.
  5. Click Remote Password Changing.
  6. Select Privileged Account Credentials on the Change Password Using selection button.
  7. Click No Secret Selected. A list of eligible secrets appears.
  8. Search for and select the earlier-created Azure Application Registration secret.
  9. Click Save.

Task 5: Testing the Configuration

If all went well, you now should have:

  • A secret in secret-server for the application registration.
  • An Entra ID User Account secret (not covered in this guide).
  • The application registration secret associated with the Entra ID User Account secret.

To test the configuration, you can start with performing a heartbeat on the Entra ID User Account secret:

  1. Log into secret-server.
  2. Navigate to Secrets.
  3. Locate your secret based on the Azure AD Account template.
  4. Click the secret.
  5. Click Heartbeat. After a few moments the heartbeat should complete successfully.

To further test the configuration, you can change the password of the Entra ID User Account secret:

  1. Log into secret-server.
  2. Navigate to Secrets.
  3. Locate your secret based on the Entra ID User Account template.
  4. Click the secret.
  5. Click Change Password Now.
  6. Select Randomly Generated or Manual (and enter a password).
  7. Click Change Password.