DocumentationRelease Notes
Log In
Documentation

Rotate credentials

Suggest Edits

Frequently rotating or changing privileged credentials is considered a security best practice. Credentials stored in BeyondTrust Vault can be set to automatically rotate after each use, and can be manually rotated at any time.

ℹ️

Note

The algorithm Vault uses to generate passwords is based on National Institute of Standards and Technology (NIST) framework.

Three actions trigger the automatic rotation of domain credentials:

  • Manually checking in a credential from the /login interface.
  • Leaving a session in which credential injection has been used.
  • The password reaching its maximum age when scheduled password rotation is enabled.

Rotate credentials manually

  1. From the /login interface, go to Vault > Accounts.
  2. Click the ellipsis button for the account password you wish to rotate.
  3. Select Rotate Password.

Once rotation is complete, the Password Age information updates with a time stamp of a few seconds.

Automatic and scheduled rotation

To configure passwords for Vault accounts to automatically rotate after each use, enable the Automatically Rotate Credentials after Check In Rules option in the account policy being used for the account.

You can schedule password changes for Vault accounts by enabling the Scheduled Password Rotation Rules option in the account policy being used for the account.

ℹ️

Note

  • Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" displays when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
  • Services using a Microsoft Graph account as the Run As account cannot be rotated.
  • Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.
  • You can define the password length for passwords generated during rotation for Windows and Entra ID Domain Services domain and local accounts from the Vault > Options page in /login.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.