DocumentationRelease Notes
Log In
Documentation

Configure Functional Account Requirements in Entra ID

Suggest Edits

Follow the steps below to set up Entra ID for use with BeyondTrust Password Safe.

  • Create enterprise application
  • Configure app registration
  • BeyondTrustPassword Safe configuration
  • Create a second enterprise application

ℹ️

Note

Accounts can be managed with or without multifactor authentication enabled in Azure.

Create enterprise application

Create this enterprise application to map to the Application (Client) ID for the functional account.

  1. In Microsoft Azure, go to Enterprise Applications and select New application.
  2. Select Create your own application.
  3. Name your application, select the application type (App you're developing) and click Create.
  4. Update the name if necessary, select the Supported Account Types (this directory only) and click Register.
  5. Under Properties, disable Assignment required and Visible to users, and click Save.

Configure app registration

  1. In Overview section, copy the Application (Client) ID and Directory (Tenant) ID. These are needed later to configure the Password Safe functional account.
  2. In the Authentication section, enable Allow public client flows, and click Save.
  3. In the Certificates and secrets section, click New client secret. Enter the Description, an expiration date, and click Add.
  4. Copy the secret Value. This is needed later to configure the Password Safe functional account.

ℹ️

Note

The value is displayed only once, immediately after adding the new secret.

  1. In the API permissions section, add Microsoft Graph, and select type Application permissions.
  2. Add Microsoft Graph application permission UserAuthenticationMethod.ReadWrite.All, Domain.Read.All, Group.Read.All, and User.EnableDisableAccount.All.
  3. If User.Read is not already added, select Delegated permissions and add it.
  4. Click Add Permissions.
  5. Click Grant admin consent for for your organization, and click Yes on the confirmation message.
  6. From the main menu, select Roles and administrators, then select the Helpdesk administrator role.
  7. Click Add assignments, then assign the application to the Helpdesk administrator role.

This completes configuration in Microsoft Azure. The remaining steps are done in BeyondTrust Password Safe.

BeyondTrust Password Safe configuration

  1. Go to Configuration > Privileged Access Management > Functional Accounts.
  2. Click Create New Functional Account.
  3. For the Entity Type, select Directory.
  4. For the Platform, select Microsoft Entra ID.
  5. Select the Azure scope: Public or US Government (supports Azure GCC High).
  6. Enter the Username in UPN format.
  7. Enter the previously saved values for the Application (Client) ID, Tenant ID, and Client Secret.
  8. Set the Alias.
  9. Click Create Functional Account.
  10. Go to Managed Systems.
  11. Click Create New Managed System.
  12. For the Entity Type, select Directory.
  13. For the Platform, select Entra ID.
  14. Enter the Domain, select the Functional Account created above, and select the Account Name Format.
  15. Click Create Managed System.

Create the managed account manually

  • Select the Managed System created above.
  • Click the vertical ellipsis at the right end of the row.
  • Select Create New Managed Account.
  • Enter the Username in UPN format, and enter ObjectId for the User and UPN.

Create the managed account using a Smart Rule

  • Accounts can be onboarded by using Group Name or UPN (starts with/ends with) filters.

Create a second enterprise application

Create a second enterprise application to test the Password Safe managed account. The managed account must be a user of the application you create in this section.

Ensure the following properties are set when creating this enterprise application:

  • Assignment required: Set to Yes or No. The test application can either have assignment required (all managed accounts must be assigned to test passwords) or it can have assignment not required.
  • In Advanced settings, Allow public client flows is set to Yes.
  • API permissions, Microsoft Graph User.Read(delegated permission) with the status set to Grant admin consent.
  • Create or use an existing Key Vault. Assign Key Vault Readers access to the Password Safe applications.
  • Create a secret in Key Vault. You can also use the existing secret from the Functional Account.

In Password Safe, edit the functional account:

  • Update the functional account with the new Client ID in the Test Application (Client) ID field.
  • Update the secret if a new one was created.

Updated 9 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.