Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

CPAM Setup for Azure AD User Account

UVP
New Contributor II
New Contributor II

Hi Team,

We are working on CPAM Configuration to import Azure AD user account from target to Saviynt.

After Importing these Azure user accounts ,we wanted to make them as PAM enabled through Bootstrap Job.

We are unable to find any Saviynt documentation from where we can get sample PAM_CONFIG JSON to perform Bootstrap operation on these Azure accounts.

Could you please provide sample "PAM config" JSON and any reference links or process steps would be appreciated.

 

FYI -we referred below links to setup Azure AD connector:

https://docs.saviyntcloud.com/bundle/AzureConf-v2021x/page/Content/Registering-an-Application-in-Azu...

https://docs.saviyntcloud.com/bundle/AzureAD-v2021x/page/Content/Configuring-the-Integration-for-Acc...

 

Thanks,

Umesh

7 REPLIES 7

NageshK
Saviynt Employee
Saviynt Employee

@UVP @Dheeraj_Reddy Thanks for posting your question. It seems that Bootstrap job is not supported on Azure AD as of today and the accounts have to PAM Enabled manually. Additionally, you will also have to use REST connection type to integrate with your Azure AD. I'm gathering more details on the process and will get back in a day or two.

Thanks,

Nagesh K 

UVP
New Contributor II
New Contributor II

Hi @NageshK , Thanks for information.

We need to setup call with Client to explain overall Azure AD integration process for CPAM so please provide confirmation on this like which connector(Azure AD or REST) we need to use for CPAM Integration and Why?

Let us know if we have any limitation here for Azure AD.

Thanks,

Umesh

NageshK
Saviynt Employee
Saviynt Employee

Hi @UVP @Dheeraj_Reddy Thanks for your patience in waiting for the response. I had to review the entire implementation to be sure of the steps. 

To PAM Enable Azure AD Accounts:

  1. Follow the regular IGA process of creating Azure AD connection for Import and REST connection for  provisioning. doc portal references below
    Integration details: https://docs.saviyntcloud.com/bundle/AzureAD-v23x/page/Content/Using-Classic-Integration-v2022x.htm
    REST conn for provisioning : This same link is referred in the above article as well
    https://docs.saviyntcloud.com/bundle/AzureAD-v23x/page/Content/Configuring-the-Integration-for-Provi...

  2. Add PAM_CONFIG in the Azure AD connection. The only property that is used from this is the encryptionMechanism. So, do not worry about other values. Just retain them as-is
    {
    "Connection":"Azure",
    "EVQuery":"ev.customproperty40=''",
    "whiteListedIPs":"",
    "encryptionMechanism":"Encrypted",
    "CONSOLE":{
    "shareableAccounts":{
    "IDQueryCredentials":"acc.name in ('')",
    "IDQueryCredentialless":"acc.name in ('')"
    },
    "maxIDRequestableTime":"10000",
    "maxCredSessionRequestTime":"10000",
    "maxCredlessSessionRequestTime":"10000",
    "maxConcurrentSession":"2",
    "endpointAttributeMappings": [
    {
    "column": "accessquery",
    "value": "",
    "feature": "endpointAccessQuery"
    },
    {
    "column": "allowChangePassword_sqlquery",
    "value": "AC.ACCOUNTTYPE != 'Platform Service Account'",
    "feature": "allowChangepasswordquery"
    },
    {
    "column": "customproperty43",
    "value": "PAMDefaultUserAccountAccessControl",
    "feature": "accountVisibilityControl"
    }
    ]
    }
    }
  3. Perform the Azure AD Account Import to fetch all accounts to saviynt
  4. Make sure to populate "policy rule service account" in the Azure AD Security System. And the password policy has a valid regex without any values in the text fields 
  5. Manually PAM Enable the Azure AD Endpoint by navigating to the Endpoint -> PAM Attributes and update the values as below 
    - Toggle PAM Enabled button to ON
    - Change Resource Type dropdown to "CONSOLE"
    - Add following json in Configuration :  {"maxInActiveTimeInSec":"30","maxReqExpWarnPeriodInSec":"11","maxSessionLimitInSec":"600","maxInActiveWarnPeriodInSec":"10","maxConcurrentSession":"51","maxSessionWarnPeriodInSec":"10"}
    - Click on the update button
  6. Now the following step is to be repeated for every Azure AD Account that should be PAM Enabled. This is a one time activity that has to be done for each account individually. (Alternatively, if there is a way to identify the accounts to be pam enabled using a property then we can build a query to add the required JSON in bulk. Then the only other step required would be to toggle the PAM Enable button on each account)
    Navigate to Admin -> Identity Repository -> Security System -> Endpoints, select the Azure AD Endpoint and click on "Accounts" tab
    - select the Account and click on "Add" button at the bottom left that says "Account Config". This gives a pop-up
    - populate the Time releated fields with desired values and click on Save
    - Now, click on Edit button under "Account Config" and select the credential type as "Credentials" or "Credentialless"
    - Toggle the PAM Enable button and save. This will create a change pwd task for the account. once the task is provisioned, account becomes pam enabled

  7. If you have the use case of launching Azure Console through remote app, update the endpoints_properties to refer the app type key for "Azure" Application Group against the Azure AD Endpoint. 

Thanks,

Nagesh K 

UVP
New Contributor II
New Contributor II

Hi Nagesh, Thanks for sharing all these information.

QQ: 

Please share 'Change Password' Json for Rest connector (Azure AD)? 

Thanks,

Umesh

Nishanth
New Contributor III
New Contributor III

Hi @NageshP 

we followed the above process, while PAM enabling the AzureAD account the password change task was struck in pending "Provisioning cmd: Adding password to vault failed for account: accountname"  and we dont see any option to add the vault in AzureAD connector, could you pls help to fix this issue.

UVP
New Contributor II
New Contributor II

Hi @Nishanth 

As per @NageshK  we need to use REST connector to perform 'Change Password' operation in Azure AD target.

As you know, we can attached Vault in REST connector and use the shared change password Josn in REST connector.

Thanks,

Umesh

NageshK
Saviynt Employee
Saviynt Employee

@UVP here it is:

{
	"call": [{
		"name": "call1",
		"connection": "userAuth",
		"url": "https://graph.microsoft.com/v1.0/users/${account.accountID}",
		"httpMethod": "PATCH",
		"httpParams": "{\"passwordPolicies\" :\"DisableStrongPassword\",\"passwordProfile\" : {\"password\":\"${requestAccessAttributes?.savpassword==null? password : requestAccessAttributes.savpassword}\",\"forceChangePasswordNextSignIn\": false}}",
		"httpHeaders": {
			"Authorization": "${access_token}"
		},
		"httpContentType": "application/json",
		"successResponses": {
			"statusCode": [
				200,
				201,
				204,
				205
			]
		}
	}]
}

 

Thanks,

Nagesh K