Create an Azure AD PAM provider

The following guide provides steps to create an Azure AD user PAM provider for Devolutions Hub Business.

Create an Azure AD PAM provider

In the Azure Portal

1. In a browser page, open the Microsoft Azure Portal and sign in to your account.
2. Select Microsoft Entra ID (formerly Azure Active Directory) in the Azure Services section. If you do not see it, click on More services to make other services appear.

   

3. In App registrations, click on New registration.

   

4. Set the Name of the new registration.

   

5. Click Register at the bottom when done. You will be presented with an overview of your application.
6. Locate the Application (client) ID and Directory (tenant) ID. You will need this information in later steps, so do not close this window.

   

In Devolutions Hub Business

7. Connect to your hub.

8. Go to Administration – Privileged Access – Providers.

9. Click on Add Provider (+).

   

10. Enter a Name (mandatory) for your provider. Optionally, enter a Description and select a Password template.

    

11. Enter the Tenant ID and Client ID that you previously located in the Overview page of the enterprise application in your Azure Portal.

    

    Do not close the provider settings window as you still need to enter the Secret key. Follow the steps below to create a client secret.

Create a client secret

In the Azure Portal

1. In Certificates & secrets, select Client secrets, then click on New client secret.

   

2. Enter a Description and set an expiry date (or use the recommended one).

   

3. Click Add.
4. Copy the Value of your new client secret (not the Secret ID).

   

In Devolutions Hub Business

5. Paste the client secret Value in the Secret key field.

   

6. Click Add.

Your new provider has now been added to the list of Providers.

Set API permissions

In the Azure Portal

1. In your recently created application page, go to API permissions and click on Add a permission.

   

2. Select Microsoft Graph.

   

3. Select Application permissions.

   

4. Locate and check the boxes next to the following Microsoft Graph API permissions:
   • Group.Read.All
   • RoleManagement.Read.Directory
   • User.Read.All

1. Click on Add permissions at the bottom.

2. Click on Grant admin consent for [your organization], then confirm by clicking Yes.

   

   The Status next to each permission should now be updated.

Enable the application to rotate passwords

In the Azure Portal

1. Go back to Microsoft Entra ID, then go to Roles and administrators in the left menu.

   Make sure to go back to the main overview of Microsoft Entra ID. If you go to Roles and administrators while in the overview of your app registration or enterprise application, for example, you will only have access to administrative roles that are available for that section.

2. In All roles, search for the Helpdesk Administrator role. If the accounts managed by the PAM module are members of any administrator roles or groups, then also search for the Privileged Authentication Administrator role and complete the next steps for both roles.

3. Click on the name of the role (do not check the box).

   

4. Click on Add assignments.

   

5. Click on No member selected.

   

6. Search through the list to find the application.

7. Check the box next to the application, then click Select.

   

8. Click Next.

   

9. Enter a justification for the assignment, then click Assign.

   

   Your application has now been added to the list.

   If the accounts managed by the PAM module are members of any administrator roles or groups, remember to complete the above steps with the Privileged Authentication Administrator role as well.