Create an Azure AD PAM provider

The following guide provides steps to create an Azure AD user PAM provider for Devolutions Server.

In the Azure Portal

  1. In a browser page, open the Microsoft Azure AD Portal and sign in to your account.
  2. Select Azure Active Directory in the Azure Services section. If you do not see it, click on More services to make other services appear.
    Azure Active Directory Service
    Azure Active Directory Service
  3. In App registrations, click on New registration.
    App registrations – New registration
    App registrations – New registration
  4. Set the Name of your application.
    Register an application
    Register an application
  5. Click Register at the bottom when done.

In Devolutions Server

  1. Connect to your Devolutions Server.
  2. Go to Administration – Privileged Access – Providers, then click on Add.
    Administration – Privileged Access – Providers – Add
    Administration – Privileged Access – Providers – Add
  3. Select Azure AD User as the new PAM provider, then click Continue.
    Add New PAM Provider – Azure AD User
    Add New PAM Provider – Azure AD User
  4. In the Provider window, enter a Name (mandatory) and a Description (optional) for your new Azure AD User PAM Provider. If need be, select a Password template in the drop-down list.
    Name, Description, and Password template
    Name, Description, and Password template

In the Azure Portal

  1. In the Overview of your new app registration, copy the Directory (tenant) ID.
    Copy the Directory (tenant) ID
    Copy the Directory (tenant) ID

In Devolutions Server

  1. Paste the ID copied in the previous step in the Tenant ID field.
    Tenant ID
    Tenant ID

In the Azure Portal

  1. Still in the Overview of your new app registration, copy the Application (client) ID.
    Copy the Application (client) ID
    Copy the Application (client) ID

In Devolutions Server

  1. Paste the ID copied in the previous step in the Client ID field.
    Client ID
    Client ID

In the Azure Portal

  1. In Certificates & secrets, click on Client secrets, then on New client secret.
    New client secret
    New client secret
  2. In the Add a client secret window, enter a Description and select an expiration date for this client secret, as per your best internal security practices.
    Add a client secret
    Add a client secret
  3. Click Add.
  4. Copy the Value of this new client secret by clicking on the Copy to clipboard icon next to it.
    Copy the Client Secret Value
    Copy the Client Secret Value

In Devolutions Server

  1. Paste the value copied in the previous step in the Secret key field.
    Secret key
    Secret key
  2. Test the connection to see if it works, then click Save. The Scan Configuration window will appear: keep it open as it will be filled in a later step.

In the Azure Portal

Assigning API permissions as described in steps 20 to 26 is only useful if you want to perform Azure accounts discovery (scan). If this is not the case, to avoid assigning unnecessary permissions to the application, skip to step 27.

  1. In API permissions, click Add a permission.

    API permissions – Add a permission
    API permissions – Add a permission

  2. In the Resquest API permissions window, select Microsoft Graph.

    Microsoft Graph
    Microsoft Graph

  3. Click Application permissions, then check the boxes next to the following Microsoft Graph API permissions to select them:

    • Group.Read.All
    • RoleManagement.Readwrite.Directory
    • User.Read.All
      Select API permissions
      Select API permissions

    Use the filter bar above the permissions list to find the ones you are looking for.

  4. When all the above permissions have been selected, click Add permissions at the bottom.

  5. The list of permissions will be updated to include those just selected. Remove any other unnecessary permissions using the ellipsis button next to them.

    Remove Unnecessary Permissions
    Remove Unnecessary Permissions

  6. The permissions require admin consent. Click on the Grant admin consent for < Your Organization > button, then click Yes to confirm.

    Grant admin consent for your organization
    Grant admin consent for your organization

  7. To confirm that the admin consent has been granted, check the Status of your permissions.

    Granted Status
    Granted Status

  8. To grant the application the ability to rotate passwords, leave the App registrations to go back to Azure Active Directory, then select Roles and administrators in the left menu.

  9. In All roles, click on the Helpdesk Administrator role. If the accounts managed by the PAM module are members of any administrator roles or group, then the application needs the Privileged Authentication Administrator role.

    All roles – Helpdesk Administrator
    All roles – Helpdesk Administrator

  10. In Assignments, click on the Add assignments button.

    Helpdesk Administrator – Add assignments
    Helpdesk Administrator – Add assignments

  11. Filter the list to find the Azure application previously created, select it, then click Add.

    Add assignments
    Add assignments
    Your new assignment should now be displayed in Assignments.

In Devolutions Server

  1. The last steps are dedicated to configuring a scan for this provider. In the Scan Configuration window that appeared when you saved your provider configuration in step 19, under General, enter a Name for this configuration.
    Scan Configuration Name
    Scan Configuration Name
  2. Under Configuration, select Groups or Roles in the Search mode drop-down list. You can filter the Search mode for specific Azure AD groups or roles by clicking on the Edit button next to the drop-down list.
    Scan Configuration Search mode
    Scan Configuration Search mode
  3. Click OK when the configuration is done.
  4. In Devolutions Server, go to Administration – Privileged Access – Scan Configurations. If the Start Scan on Save option was left enabled during the scan configuration, the scan should have started by itself. During the process, the Status column displays an hourglass icon next to the scan entry.
    Administration – Privileged Access – Scan Configurations
    Administration – Privileged Access – Scan Configurations
  5. When the process is complete, the hourglass icon changes to a green check mark. At that point, select accounts and import them into the privileged accounts like any other type of privileged account.
Give us Feedback