Create an Azure AD PAM provider

The following guide provides steps to create an Azure AD user PAM provider for Devolutions Server.

In the Azure Portal

  1. In a browser page, open the Microsoft Azure AD Portal and sign in to your account.
  2. Select Microsoft Entra ID in the Azure Services section. If you do not see it, click on More services to make other services appear.

Microsoft Entra ID
Microsoft Entra ID

  1. In App registrations, click on New registration.

App registrations – New registration
App registrations – New registration

  1. Set the Name of your application.
  2. Click Register at the bottom when done.

Set the Name and click Register
Set the Name and click Register

In Devolutions Server

  1. Connect to your Devolutions Server.
  2. Go to Administration – Privileged Access – Providers, then click on Add.

Administration – Privileged Access – Providers – Add
Administration – Privileged Access – Providers – Add

  1. Select Azure AD User as the new PAM provider, then click Continue.

Add New PAM Provider – Azure AD User
Add New PAM Provider – Azure AD User

  1. In the Provider window, enter a Name (mandatory) and a Description (optional) for your new Azure AD User PAM Provider. If need be, select a Password template in the drop-down list.

Name, Description, and Password template
Name, Description, and Password template

In the Azure Portal

  1. In the Overview of your new app registration, copy the Directory (tenant) ID.

Copy the Directory (tenant) ID
Copy the Directory (tenant) ID

In Devolutions Server

  1. Paste the ID copied in the previous step in the Tenant ID field.

Tenant ID
Tenant ID

In the Azure Portal

  1. Still in the Overview of your new app registration, copy the Application (client) ID.

Copy the Application (client) ID
Copy the Application (client) ID

In Devolutions Server

  1. Paste the ID copied in the previous step in the Client ID field.

Client ID
Client ID

In the Azure Portal

  1. In Certificates & secrets, click on Client secrets, then on New client secret.

New client secret
New client secret

  1. In the Add a client secret window, enter a Description and select an expiration date for this client secret, as per your best internal security practices.

Add a client secret
Add a client secret

  1. Click Add.
  2. Copy the Value of this new client secret by clicking on the Copy to clipboard icon next to it.

Copy the Client Secret Value
Copy the Client Secret Value

In Devolutions Server

  1. Paste the value copied in the previous step in the Secret key field.

Secret key
Secret key

  1. Test the connection to see if it works, then click Save. The Scan Configuration window will appear: keep it open as it will be filled in a later step.

In the Azure Portal

Assigning API permissions as described in steps 20 to 26 is only useful if you want to perform Azure accounts discovery (scan). If this is not the case, to avoid assigning unnecessary permissions to the application, skip to step 27.

  1. In API permissions, click Add a permission.

API permissions – Add a permission
API permissions – Add a permission

  1. In the Resquest API permissions window, select Microsoft Graph.

Microsoft Graph
Microsoft Graph

  1. Click Application permissions, then check the boxes next to the following Microsoft Graph API permissions to select them:

    • Group.Read.All
    • RoleManagement.Readwrite.Directory
    • User.Read.All

    Select API permissions
    Select API permissions

Use the filter bar above the permissions list to find the ones you are looking for.

  1. When all the above permissions have been selected, click Add permissions at the bottom.
  2. The list of permissions will be updated to include those just selected. Remove any other unnecessary permissions using the ellipsis button next to them.

Remove Unnecessary Permissions
Remove Unnecessary Permissions

  1. The permissions require admin consent. Click on the Grant admin consent for < Your Organization > button, then click Yes to confirm.

Grant admin consent for your organization
Grant admin consent for your organization

  1. To confirm that the admin consent has been granted, check the Status of your permissions.

Granted Status
Granted Status

  1. To grant the application the ability to rotate passwords, leave the App registrations to go back to Azure Active Directory, then select Roles and administrators in the left menu.
  2. In All roles, click on the Helpdesk Administrator role. If the accounts managed by the PAM module are members of any administrator roles or group –or if Privileged Identity Management (PIM) is used–, then the application needs the Privileged Authentication Administrator role.

All roles – Helpdesk Administrator
All roles – Helpdesk Administrator

  1. In Assignments, click on the Add assignments button.

Helpdesk Administrator – Add assignments
Helpdesk Administrator – Add assignments

  1. Filter the list to find the Azure application previously created, select it, then click Add.

Add assignments
Add assignments

Your new assignment should now be displayed in Assignments.

In Devolutions Server

  1. The last steps are dedicated to configuring a scan for this provider. In the Scan Configuration window that appeared when you saved your provider configuration in step 19, under General, enter a Name for this configuration.

Scan Configuration Name
Scan Configuration Name

  1. Under Configuration, select Groups or Roles in the Search mode drop-down list. You can filter the Search mode for specific Azure AD groups or roles by clicking on the Edit button next to the drop-down list.

Scan Configuration Search mode
Scan Configuration Search mode

  1. Click OK when the configuration is done.
  2. In Devolutions Server, go to Administration – Privileged Access – Scan Configurations. If the Start Scan on Save option was left enabled during the scan configuration, the scan should have started by itself. During the process, the Status column displays an hourglass icon next to the scan entry.

Administration – Privileged Access – Scan Configurations
Administration – Privileged Access – Scan Configurations

  1. When the process is complete, the hourglass icon changes to a green check mark. At that point, select accounts and import them into the privileged accounts like any other type of privileged account.
Devolutions Forum logo Give us Feedback