DocumentationRelease Notes
Log In
Documentation

Entra ID service principal

Suggest Edits

Managing Entra ID Domain Services accounts requires a service principal, which is used to give BeyondTrust Vault permission to access Microsoft Entra ID resources. The following guide describes how to create a new service principal in Entra ID for BeyondTrust Vault.

Create a registered app

Sign into Azure and connect to the Entra ID tenant where you wish to manage passwords, then follow the steps below.

  1. On the left menu, click App registrations.
  2. Click + New Registration.
  3. Under Name, enter a unique application name.
  4. Under Supported account types, select Accounts in this organizational directory only.
  5. Click Register.
  6. Select the new registered app from the list of Apps Registrations (if not already visible).
  7. Select Certificates & secrets from the left menu.
  8. Click +New Client Secret.
  9. Provide a Description and appropriate Expiry. If you select 1 or 2 years, the service principal must be refreshed in Secure Remote Access with a new client secret on the anniversary of its creation.
  10. Click Add.
  11. Create a copy of the client secret and store it in a safe place. This is the only time it is displayed. This is needed to add the account to the Vault.

Assign API permissions to the registered app

Browse to the application using App registrations in Entra ID, and follow these steps:

  1. Select API Permissions from the left menu.
  2. Click + Add a permission.
  3. Click Microsoft Graph.
  4. Click Application Permissions.
  5. Search for User.ReadWrite.All and check it in the search results.
  6. Search for Directory.Read.All and check it in the search results.
  7. Click Delegated Permissions.
  8. Search for Directory.AccessAsUser.All and check it in the search results.
  9. Click Add permissions.
  10. Remove the User.Read permission that is granted by default by clicking the ellipses menu and selecting Remove permission.
  11. Click Grant Admin Consent for to give consent to the app to have those permissions.

Assign roles to the registered app

Search Entra for Entra ID roles and administrators, and follow these steps:

  1. Search for the role Privileged authentication administrator or User Administrator.
    • Privileged authentication administrator gives the application sufficient permissions to change most user and administrator passwords, including Global Admin.
    • User Administrator gives the application sufficient permissions to change most passwords, with the exception of Authentication Admin, Global Admin, Privileged Authentication Admin, and Privileged Role Admin.
  2. Click the Role or the ellipsis button for role and then click Description.
  3. On the left menu, click Assignments (if not already selected).
  4. Click + Add assignments.
  5. In the Search box, type the name of the registered app that was created earlier. Registered apps are not listed with users and can only be found this way.
  6. The previously created registered app is visible in the search results. Select it and click Add.

ℹ️

Note

  • Azure AD has been renamed Microsoft Entra ID.
  • Using BeyondTrust Vault with Microsoft Entra ID Domain Services Account requires both an Entra ID license and an Entra ID Domain Services license.
  • For information about assigning other roles, see Microsoft Entra built-in roles.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.