DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Active Directory settings

Suggest Edits

Configure Active Directory (AD) connectors to discover AD groups in your estate. The Policy Editor queries the Active Directory to populate the group information when adding account filters or designated users.

There are two connector types:

  • Microsoft Entra ID: Searches for Entra ID groups.
  • Local AD: Searches for groups in the local Active Directory environment.

After the connectors are set up, the Policy Editor can discover and read information from the Active Directory source. The screen capture shows an example when adding an account filter for a workstyle.

ℹ️

Note

A standard user requires delegated access to this feature. For more information, see User management.

Add Microsoft Entra ID connector

You must create an app registration in Azure before you can configure the Microsoft Entra ID connector here. There can only be one Microsoft Entra ID connector per PMC instance.

  1. Go to Configuration > Active Directory Settings.
  2. Select the Microsoft Entra ID tab, and then select Enable Microsoft Entra ID Integration.
  3. Add the tenant ID and client ID.
  4. Select an authentication method. This depends on the app registration details you configured.

ℹ️

Note

For more information, see Microsoft's documentation Quickstart: Register an application with the Microsoft identity platform

Monitoring Entra ID

On the Microsoft Entra ID tab, you can confirm if the integration with Entra ID is working correctly.

  • Monitoring and health indicators help you to respond to issues as they occur.
  • Synchronizing the Policy Editor group index and group membership ensures group information is accurate and current.

Add a local AD connector

Create an on-premises local Active Directory connector that can be queried from the Policy Editor. Adding a local directory makes it easier to add Active Directory users and groups to a policy.

  • You must set up one connector for each local Active Directory.
  • The connector installation is a Windows service installed to the endpoint. The endpoint requires access to the local directory.
  • After the connector is installed and active, the connector is discoverable and available for use.
  • If you disable a connector, then the Policy Editor can no longer query Active Directory.
  • When deleted, the connector is no longer available in the console and must be reinstalled to be available for queries.

To install the local AD connector:

  1. Go to Configuration > Adapter Installation to download the connector.
  2. On the same page, click the AD Connector button to include the connector in the installation string.
  3. After the download is complete, go through the installation wizard to complete the installation.
  4. After the connector is installed, go to Configuration > Active Directory Settings, and select the Local AD tab.
  5. You can edit properties for the connector. The host name is the computer name where the connector is installed; this cannot be changed. You can, however, add a name that is more meaningful.
  6. After saving the connector properties, select the connector menu, and then select Enable Connector. The connector must be enabled before it can query the local AD environment.

Edit local AD connector

You can change the name of the local AD connector.

The host name value cannot be changed.

Edit a connector

  1. Select the Configuration menu, and then select Active Directory Settings.
  2. Select the Local AD tab.
  3. Find the connector in the list.
  4. Select Delete Connector from the menu.

Register an Azure tenant

For EPM to query Entra ID groups, a communication channel between EPM and Entra ID must exist.

The key steps to create a channel:

  • Create an app registration in Azure and grant the appropriate permissions.
  • Set up an authentication method.
  • Configure EPM with the app registration.

Requirements

  • Microsoft Azure Commercial

Microsoft 365 Government Community Cloud (GCC) High is not supported.

ℹ️

Note

For more information about the differences, see National cloud deployments.

Register a tenant

  1. Go to https://portal.azure.com.
  2. Create a new registration.
  3. Select the directory that contains the Entra ID you want to register with EPM.
  4. Search for the App registrations service and select it.
  5. Click New registration.
  6. Give the registration a name. For example, EPM Registration.
  7. Select the Supported account types you require for your business needs.
  8. Ignore the setting Redirect URI.
  9. Select Register an application.
  10. Go to Manage > API Permissions and select Add a permission.
  11. Select Microsoft Graph, and then Application permissions.
  12. Add the following permissions. Search by name, and then select the permission when it displays.
  • Domain.Read.All
  • GroupMember.Read.All
  • User.Read.All
  1. After the three permissions are selected, select Add permissions.
  2. Grant the permissions. Select Grant admin consent for (Directory Name).

Note the Application (client) ID and the Directory (tenant) ID. These are used in the EPM configuration.

Configure authentication

Select an authentication method to create a trust relationship between EPM and Azure. There are two methods available:

  • Certificate authentication
  • Client-secret authentication

Certificate authentication

  1. In the EPM console, select Configuration > Active Directory Settings.
  2. Click the Microsoft Entra ID tab.
  3. Select User Certificate Authentication, and select Download Certificate.
  4. Go to the Azure app registrations portal, and then select Certificates & secrets.
  5. Click Upload certificate.

Clients-secret authentication

  1. In the Azure app registrations portal, [add a client secret](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-a-client-secret:~:text=Select Add.-,Add a client secret,-Sometimes called an).
  2. In the EPM console, select Configuration > Active Directory Settings > Microsoft Entra ID.
  3. Copy the client secret to the Client Secret box.
  4. Click Save Changes.

Disable a connector

A disabled connector is no longer discoverable by the Policy Editor.

  1. Select the Configuration menu, and then select Active Directory Settings.
  2. Select the Local AD tab.
  3. Find the connector in the list.
  4. Select Disable Connector from the menu.

Delete a local AD connector

Delete a local AD connector when it is no longer required. When deleted, the authentication details provided when adding the connector are deleted to ensure communication is no longer available between EPM and the local AD.

  1. Select the Configuration menu, and then select Active Directory Settings.
  2. Select the Local AD tab.
  3. Find the connector in the list.
  4. Select Delete Connector from the menu.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.