Importing users from Azure AD

You can integrate PAM360 with Azure Active Directory (AD) in your environment, and import users and user groups from there. Once integrated, you can allow users to use their Azure AD credentials to log in to PAM360 in both Windows and Linux platforms.


To integrate PAM360 with Azure AD and import users, PAM360 should first be added as a native client application in your Azure AD portal. Follow the steps given below to register PAM360 as an application:

  • Log in to your Microsoft Azure portal. Click on the Active Directory icon on the left menu, and then click on the desired directory.
  • On the top menu, click Applications. If no apps have been added to your directory, this page will only show the Add an App link. Click on the link, or alternatively you can click on the Add button on the command bar at the bottom.
  • On the What do you want to do page, click on the link Add an application my organization is developing.
  • On the Tell us about your application page, enter the NAME as PAM360 and under type, choose Native Client Application. Click the Next arrow icon.
  • On the Application information page, enter the Redirect URL as https://<hostname>:port and click the checkbox in the bottom-right hand corner of the page. PAM360 will be added as an application in Azure AD.
  • In the next page, click on Configure access to web APIs in other applications. You will be taken to Application properties. In this page, you can find the CLIENT ID generated for your PAM360 application, which you will need while integrating Azure AD in PAM360 GUI. You can add the PAM360 logo if desired (Optional).
  • On the Application properties page, scroll to the bottom and locate the section Permissions to other applications. By default, Windows Azure Active Directory will be added with 2 delegated permissions.
  • Click on Add application. In the page that opens, select Microsoft Graph and click the checkbox in the bottom-right hand corner of the page.
  • Once added, the final step is to delegate Read directory data permission for Microsoft Graph.

Once you have registered PAM360 in Azure AD portal, go to Admin >> Authentication >> Azure AD in PAM360.

In the new screen that opens, there are totally three steps involved as given below:
Step 1: Import users from Azure AD
Step 2: Specify appropriate user roles
Step 3: Enable Azure AD authentication

Note: Alternatively, you can also carry out the import operation from "Admin-->Users-->Add Users-->Import from Azure AD." However, you have to go to Admin-->Azure AD to carry out Step 3 - enabling Azure AD authentication.

Step 1: Import users from Azure AD

To begin importing users, you need to provide the required credentials such as client ID and user account details. To do this,

  • Go to Step 1 in the UI screen, and click on "Import Now".
  • In the dialog box that opens, the first step is to add the Azure AD domain from which users and groups are to be imported. Click on "New Domain" beside the field "Select Domain Name," and add your domain name.
  • Next, enter the CLIENT ID generated beforehand in Azure AD server while registering PAM360 as a Native client application in your Azure portal.
  • Next, enter a valid user credential (username and password) having sufficient permissions to enable user import. Usually, the username will be a part of either >username<@>domain<, for instance - or in case of custom domains, >username<@>domain<.com, for instance - After entering the CLIENT ID and domain details, click Save to keep them auto-populated for future import operations.
  • [Optional Step] If you want only particular users and groups to be imported from Azure AD directory, enter the required user name(s) in comma separated form, in the field "Users to import," and required group names in the text field, "User Groups to import."
  • [Optional Step] To keep the user database constantly in sync with your Azure AD, you can add synchronization schedules. In the field "Synchronization Interval," enter the time interval at which PAM360 has to query Azure AD and keep the user database in sync.
  • After entering the required details, click on "Fetch Groups." PAM360 will list all the user groups available in your Azure AD domain, from which you can select the desired groups and import the users.
  • Click Close and you will be automatically taken to Step 2: Specify appropriate user roles.

Note: Synchronization schedules created for Azure AD user import can be viewed by clicking on View Synchronization Schedules as shown in the images below:

Step 2: Specifiy appropriate user roles

After import, all the users imported from Azure AD will be assigned the "Password User" role as shown in the dialog box that opens once the users are imported.

  • Select the users for whom you wish to change the role and clik the "Grant" button to assign them the role of Administrator/Password Administrator/Password Auditor from the dropdown.
  • Click Save and the required roles are set for the users.
  • Note: You can change the assigned roles anytime in the future by clicking on Assign Roles Now as shown in the image below:

Step 3: Enable Azure AD authentication

The third step is to enable Azure AD authentication. This will allow your users to use their Azure AD domain password to login to PAM360. Note that this scheme will work only for users who have been already imported to the local database from Azure AD. Also, ensure that AD authentication is disabled before enabling Azure AD authentication.

Note:After enabling Azure AD authentication, if you want to disable local authentication under General Settings-->User Management, make sure you have at least one user with the 'Administrator' role, among the users imported from Azure AD. Administrator role is required to carry out user management and other system operations in PAM360.

©2019, ZOHO Corp. All Rights Reserved.