DocumentationAPI ReferenceRelease Notes
Log In
Documentation

How to use Vault with Entra ID Domain Services account (COPY)

Suggest Edits

How is using Vault with Entra ID useful for my organization?

Administrators can use Vault to discover and manage Microsoft Entra ID Domain Services accounts. Managing Entra ID Domain Services accounts requires a service principal, which is defined on the Vault > Domains page.

How is this integration useful?

Entra ID (formerly Azure AD) and BeyondTrust Privileged Remote Access (PRA) can be integrated to enhance security and manage remote access for users with special permissions. Entra ID provides enterprise identity services, including single sign-on and multifactor authentication, which can be leveraged to secure access to PRA.

📘

Notes

  • Discovery Job results identify Entra ID Managed accounts in the Status column, and identifies if the service principal is added.
  • When the Status displays No Service Principal, the account cannot be selected for import.

Prerequisites

  • A service principal must be created in Microsoft Entra ID before you can add it to the BeyondTrust Vault.
    • Information such as the client secret is obtained from Entra ID when you create the service principal. For information on how to create a service principal in Entra ID, see Create a service principal in Entra ID
  • When you use BeyondTrust Vault with Microsoft Entra ID Domain Services Account, it requires both an Entra ID license and an Entra ID Domain Services license.
  • Vault cannot be used with Entra ID domain controllers other than Entra ID Domain Services.
  • Azure Active Directory (AD) has been renamed Microsoft Entra ID.

Add a service principal

Before you begin a Discovery job, you must add a service principal.

  1. From the left menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the Domains tab.
    The Domains tab displays.
  3. From the Microsoft Entra ID Service Principals section, click Add.
  4. From the Entra ID tenant you created, enter the mandatory information:
    • Domain Name
    • Tenant ID
    • Client ID
    • Client Secret
  5. Optionally, enter a name to easily identify the service principal.
  6. You can disable the service principal by selecting the Disabled checkbox. This does not remove it, but no actions, such as rotation, can be taken with the account. In the list of discovery results, the account Status is Service Principal Unavailable and Disabled.
  7. Click Save.
    Service principal details are validated against the details in your Entra ID tenant.
    • If the service principal adds successful, the new service principal displays in the list of domains, with the status OK.
    • If the service principal fails to add, the status is Disabled and Failed. To resolve the error message, click the pencil to return to the edit screen, and review the detailed error message.
  8. Run a discovery job. In the list of results, the account Status is still Entra ID Managed, but the No Service Principal note does not display. The account can now be selected for import.

ℹ️

Note

If the account is a shadow account, the Status displays "Externally Sourced," and the account is not available for import.

  1. If you have multiple domains for the Entra ID Domain Services instance, repeat the process of adding a service principal for each domain.

Edit a service principal

  1. From the left menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the Domains tab.
    The Domains tab displays.
  3. From the Microsoft Entra ID Service Principals section, click the pencil to edit a service principal.
    The Edit Service Principal page displays.
  4. Make the necessary changes, and then click Save.

Delete a service principal

  1. From the left menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the Domains tab.
    The Domains tab displays.
  3. From the Microsoft Entra ID Service Principals section, click the trash can to delete a service principal.
  4. A warning message displays the following message: "Deleting the Service Principal will delete all associated accounts."
  5. Click Yes.

Updated 2 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.