Documentation

Microsoft Defender for Identity

Suggest Edits

What is it the Microsoft Defender for Identity integration?

This integration uses Insights to connect BeyondTrust Password Safe and Microsoft Defender.

Insights notifies Defender of the Entra ID and Active Directory accounts whose credentials are managed by Password Safe. Defender labels the accounts managed by BeyondTrust in Defender and provides a Reset Password option.

How is it useful?

Once the integration with Microsoft Defender is complete, all Password Safe managed Entra ID user accounts will be available for Defender initiated password resets.

Incident responders working in MDI know accounts are managed by BeyondTrust Password Safe and can trigger BT-managed account password resets while working on incidents and track their statuses.

Prerequisites

Make sure you have:

  • BeyondTrust Password Safe Cloud installed and fully configured
  • An active BeyondTrust Identity Security Insights subscription
  • Microsoft Defender for Identity deployed and integrated with your Active Directory and Entra ID
  • An Entra ID Tenant ID
  • Access to an Entra account

Prepare Password Safe

  1. Open Password Safe Cloud
  2. Ensure you've registered your API in BeyondInsight.
  3. Ensure you've created a user, and assigned that user to a properly-provisioned group within Password Safe.

Create connector in Insights

  1. In Insights, click Menu > Connectors.
    The Connectors page displays with the Configured tab open by default.
  2. Click the Available tab.
    All available connector types display.
  3. Locate Password Safe Cloud in the list.
  4. Click + Create Connector.
    The Create Password Safe Cloud Connector panel displays.
  5. Enter the connector details.
  6. Enter a Name for your Password Safe Cloud connector.
  7. Ensure Password Safe Cloud is configured to perform scans.
  8. Enter your Password Safe Cloud Domain (such as https://company.ps.beyondtrustcloud.com).
  9. Enter the API key created during API registration.
  10. From the drop-down list, select:
    Yes if the User password required option is selected in Password Safe
    Cloud.
    No if the User password required option is not selected in Password Safe
    Cloud.

ℹ️

Note

To check if this setting is required in Password Safe Cloud:

Go to the main menu > Configuration > General > API Registrations. Under Authentication Rules Options in the Details section, note if User password required is selected.

  1. Enter the username added to the Password Safe group made for Identity Security Insights.
  2. Enter the Entra ID for your Microsoft account.
  3. Click the link to authorize Entra Consent.
  4. Sign into your Microsoft account and clickacceptfor the permissions requested.
  5. If Microsoft Defender integrates with Active Directory, enter the AD Domainfor active directory.
  6. Click Create Connector.
    An installation key displays for the connector.
  7. Copy the installation key.
    Do not close the connector before you have enabled it in Password Safe in the below steps.
19. Configure and enable the installation key for Password Safe 24.1.1 and newer releases.
  1. Open Password Safe Cloud.
  2. From the left menu, click Configuration > Identity Security Insights > Connect to Identity Security Insights.
    The Identity Security Insights page displays.
  3. In the Connector Key field, input the installation key you copied above.
  4. Click Update Settings.
  5. Confirm the toggle is Enabled.
  1. Optionally, verify the connector in Insights.

Create and configure a new group

You can connect Identity Security Insights to both cloud and on-premises instances
of Password Safe to automatically scan for associated accounts and track your organization’s identities in summarized visualizations.

To access account and identity information, Identity Security Insights requires you to createa user and group with properly-provisioned roles within Password Safe. Because this user allows Identity Security Insights to access Password Safe, we recommend you create a new user for this purpose.

  1. Sign into Password Safe.
2. Create a new group in Password Safe.
  1. From the left menu, select: Configuration > Role Based Access > User Management.
  2. Click Groups.
  3. Click Create New Group.
  4. Enter a group Name and Description.
  5. Click Create Group.
    The group is created in Password Safe.
  6. Optionally, but recommended, create a new user for the group.
  7. Assign the chosen user to the group.
    1. Under Group Details, select Users.
    2. From the Show drop-down list, select Users not assigned. A list of all users not currently assigned to a group displays.
    3. Locate the user you wish to add to the group.
    4. Click Assign User. The user assigns to the group.
  1. Under Group Details, select API Registrations.
  2. Check the box next to the API registration created for Identity Security Insights.
5. Assign features permissions to the group.
  1. Under Group Details, select Features.
  2. From the Show dropdown menu, select All Features.
  3. Select the following features:
    • Analytics and Reporting
    • Asset Management
    • Password Safe Role Management
    • Password Safe System Management
    • Ticket System
    • User Accounts Management
  4. Click Assign Permissions > Assign Permissions Read Only.
  5. Click User Audits > Assign Permissions Full Control.

Assign Smart Groups permissions and roles to the group.

  1. Under Group Details, select Smart Groups.
  2. From the Show drop down menu, select All Smart Groups.
  3. Select the All Assets Smart Group.
  4. Click Assign Permissions above the grid, and select Assign Permissions Read
    Only.
  5. Click the vertical ellipsis button for the All Assets Smart Group.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.