Azure AD Users

Rotating Azure AD Admin and User passwords with Keeper

Overview

In this guide, you will learn how to rotate passwords for Azure AD users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the Azure AD user accounts to be rotated are stored in the PAM User record.

For a high-level overview on the rotation process in the Azure network, visit this page.

Prerequisites

This guide assumes the following tasks have already taken place:

  • Keeper Secrets Manager is enabled for your enterprise and your role

  • Keeper Rotation is enabled for your role

  • A Keeper Secrets Manager application has been created

  • Your Azure environment is configured per our documentation

The Keeper Gateway uses Azure APIs to rotate the credentials defined in the PAM User records.

1. Set up PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for Azure.

Prior to setting up the PAM Configuration, make sure that:

  • A Keeper Secrets Manager application has been created

  • A Keeper Rotation gateway is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.

  • We recommend installing the Keeper Gateway service in a machine within the Azure environment in order to rotate other types of targets.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration Record with your information:

For more details on all the configurable fields in the PAM Network Configuration record, visit this page.

2. Set up one or more PAM User Records

Keeper Rotation uses the Azure Graph API to rotate the PAM User records in your Azure environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the pre-requisites.

The following table lists all the required fields that needs to be filled on the PAM User record with your information:

There should only be one PAM User record for each Azure AD user. Having multiple PAM User records with the same user/login will cause conflicts.

3. Configure Rotation on the PAM User Records

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

  • Select the desired schedule and password complexity.

  • The "Rotation Settings" should select the PAM Configuration setup previously.

  • The "Resource Credential" field should be empty / not selected.

  • Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with "Can Edit" rights to a PAM User record has the ability to set up rotation for that record.

Last updated