Minimum Permissions for Entra ID RPC

For the complete setup for Entra ID RPC, see Configuring an Azure AD or Entra ID Password Changer.

Secret Server requires proper permissions to perform remote password changing (RPC). The privileged Secret Server RPC service principal used for RPC of an Entra ID user account secret must be assigned to the User Administrator role.

Assigning a Secret to the User Administrator Role

Log into the Entra ID or Azure AD Portal (https://portal.azure.com).
Go to Microsoft Entra ID > Roles and Administrators.
Select the User Administrator role.
Click Add Assignments.
Search for the desired service principal. This is the account to give permissions to, in this case, the registered application.
Click Add.

These permissions will only work for non-administrator accounts. For administrator accounts, users need to have at least Privileged Authentication Administrator permissions. For more information about the Entra ID secret template, see Entra ID Secret Template for RPC.

Assigning the Privileged Authentication Administrator Role for Administrator Accounts

To perform remote password changing for Entra ID administrator accounts, the service principal must be assigned the Privileged Authentication Administrator role.

Locate the service principal:
1. In the Microsoft Entra admin center, go to Azure Active Directory > App registrations.
2. Find the app registration you want to manage and note its Application (client) ID.
Find the corresponding service principal:
1. Go to Azure Active Directory > Enterprise applications.
2. Search for the application name or filter by the Application (client) ID.
Assign the role:
1. Select the service principal.
2. Navigate to Roles and administrators, then click Add assignments.
3. Search for and select the Privileged Authentication Administrator role.
4. Choose the user, group, or service principal.
5. Click Add to finalize the assignment.

See Entra ID service principal for more details.