Azure
Password Rotation in the Azure Environment
Overview
In this section, you will learn how to rotate user credentials within the Azure network environment across various target systems. Rotation works on the devices configured and attached to the Azure Active Directory (Azure AD) which can also be your default directory.
Keeper can rotate the password for Azure AD users, service accounts, local admin users, local users, managed services, databases and more.
Azure Credentials and their corresponding PAM Record Types
Configurations for the Azure Active Directory are defined in the PAM Configuration section of Keeper Secrets Manager.
Configurations for the Azure AD joined devices are defined in the PAM Directory, PAM Machine, and PAM Database record types. The following table shows the supported Azure AD joined devices with Keeper Rotation and their corresponding PAM Record Type:
| Azure AD Joined Device | Corresponding PAM Record Type |
|---|---|
Azure AD Domain Services | PAM Directory |
Virtual Machines | PAM Machine |
Managed Databases | PAM Database |
Configurations for Azure Directory User's credentials are defined in the PAM User records.
Prerequisites - Rotation on your Azure Environment
Prior to rotating user credentials within your Azure environment, you need to make sure you have the following information and configurations in place:
All Azure AD joined devices that you want to use with Rotation need to be created and configured within your Azure Active Directory
To successfully configure and setup Rotation within your Azure Network, the following values are needed for your PAM Configuration:
| Field | Description |
|---|---|
Client ID | The application/client id (UUID) of the Azure application |
Client Secret | The client credentials secret for the Azure application |
Subscription ID | The UUID of your subscription to use Azure services (i.e. Pay-As-You-GO) |
Tenant ID | The UUID of the Azure Active Directory |
Make sure all the Azure services or Azure AD joined devices you plan on using for rotation have access to the Azure Active Directory. For more information, visit this page
Create a custom role to allow application to access/perform actions on various Azure resources. For more information on custom role setup, visit this page
Summary - Rotation on your Azure Environment
At a high level, the following steps are needed to successfully rotate passwords on your Azure network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the Azure environment setting
Configure Rotation settings on the PAM User records and/or PAM Machine, PAM Database, PAM Directory records
The next section of the documentation covers the Azure Environment Setup.
pageAzure Environment SetupThe following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the Azure network:
Rotating AD Admin Users and AD Users on Azure Active Directory Domain Services:
pageAzure AD UsersRotating Azure Virtual Machine Local Users:
pageAzure VM User AccountsRotation Users on Azure Managed Databases:
pageManaged DatabaseLast updated
