Microsoft Azure Password Management

This topic describes the Microsoft Azure Password Management plugin.

Support

 

This plugin supports Multi-Factor Authentication (MFA) to the target machine. Microsoft Azure recommends using MFA for users using passwords to log in. To support MFA, you must use the designated platfrom described in Logon accounts and Reconcile accounts.

Target devices

The CPM supports remote account management for Microsoft Azure accounts on the following target devices:

  • Microsoft Azure

Accounts

The CPM supports account management for the following accounts:

  • Azure AD Users

Platforms

In the Privilege Cloud Portal Platform Management page, make sure that the following target account platform is displayed:

  • Microsoft Azure Password Management

Connection Methods

This plugin supports the following connection methods to the remote machine:

  • Rest API

Actions

The following table lists the supported password management actions for this platform:

Action

Verify
Supported ü
Permissions All users can verify their own password.

Action

Change
Supported ü
Permissions

Users with the following roles can change their own password:

  • User Admin

  • Global Admin

  • Password Admin

A logon account is required for all other accounts.

Action

Reconcile
Supported ü

Permissions

Reconcile account must have one of the following roles:

  • User Admin

  • Global Admin

  • Password Admin

Action

Delete
Supported û
Permissions -

Logon accounts

Action

Logon and change
Supported ü
Required

Logon account is required for any account except for accounts with the following roles:

  • User Admin

  • Global Admin

  • Password Admin
Platform

  • Microsoft Azure Password Management

  • Microsoft Azure Application Key

Note: Use the Microsoft Azure Application Key platform if you configured Azure to enforce MFA for users. Otherwise, you can use either platform.
Permissions

If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles:

  • User Admin

  • Global Admin

  • Password Admin

If you are using the Microsoft Azure Application Key platform, the logon account must have one of the following roles:

  • If managing a user who is a Global Administrator, the account must have the Company Administrator role

  • If not managing a user who is a Global Administrator, the account must have the User Account Administrator role

 

 

ApplicationID must be set for logon accounts at the account level.

Application accounts

Create an application account if you used the most recent method for registering the Azure Active Directory application, as described in Prerequisites. If you used the legacy method, skip this step.

Action

Logon and change
Supported ü
Required

Only if you used the most recent method for registering the Azure Active Directory application.
Platform

Microsoft Azure Application Keys
Permissions

The account must have the following permissions:

  • Access the directory as the signed-in user

Reconcile accounts

Action

Reconcile
Supported ü
Required

ü

Platform

  • Microsoft Azure Password Management

  • Microsoft Azure Application Key

Note: Use the Microsoft Azure Application Key platform if you configured Azure to enforce MFA for users. Otherwise, you can use either platform.
Permissions

If you are using the Microsoft Azure Password Management platform, the logon account must have one of the following roles:

  • User Admin

  • Global Admin

  • Password Admin

If you are using the Microsoft Azure Application Key platform, the logon account must have one of the following roles:

  • If managing a user who is a Global Administrator, the account must have the Company Administrator role

  • If not managing a user who is a Global Administrator, the account must have the User Account Administrator role

 

 

ApplicationID must be set for reconcile accounts at the account level.

Connection Components

The Azure Cloud Services Management PSM connector is used with accounts managed by this plugin.

Configuration

Prerequisites

 

This plugin requires .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.

Make sure you perform the following actions:

  1. Enable app registration on the Active Directory.

  2. Register a new native app dedicated to CyberArk. For details, see Create service principal.

     

    For details on the legacy method, see App registrations in the Azure portal.

  3. Under Windows Azure Active Directory for the dedicated app, add Access the directory as the signed-in user permissions.

Platform Parameters

ActiveDirectoryID

Description Azure Active Directory tenant id
Acceptable Values Valid Tenant ID

ApplicationID
Description

Azure Active Directory Application Client ID of the dedicated CyberArk application created in Prerequisites.

Note: Relevant only when registering the Azure Active Directory application using the legacy method.
Acceptable Value Valid ID

 

Account Parameters

Required

Username
Description The name of the user to whom the password belongs.
Acceptable Value A valid user name. Max 60 characters.

Optional

Address
Description The address of the site (used by the Connection Components only)
Acceptable Values Azure website
 

Reduce excessive cloud IAM permissions

Implement CyberArk Cloud Entitlements Manager to detect excessive permissions and generate recommendations to remediate risky access on your cloud platform. Only risky permissions are removed, resulting in least privilege for all human and machine identities while maintaining valid access for Cloud and DevOps teams.

CEM also detects unmanaged credentials for cloud entities with administrative access, enabling organizations to on-board cloud admin and Shadow Admin to Privilege Cloud