Importing Users from Microsoft Entra ID

Integrate Microsoft Entra ID with PAM360 and import users and user groups from Microsoft Entra ID. Through this integration, users can login to PAM360 using their Microsoft Entra ID credentials, in both Windows and Linux platforms. After integration into PAM360, the user details and user group structure is maintained exactly as it is in the Microsoft Entra ID platform.

Note: You can only import users who don't have multi-factor authentication (MFA) enabled in the Microsoft Entra ID portal.

Following are detailed steps to register PAM360 in the Azure portal and import users into PAM360:

Registering PAM360 in Microsoft Entra ID Portal
Steps to Import Users from Microsoft Entra ID
2.1 Importing Users from Microsoft Entra ID

2.2 Specifying Appropriate User Roles

2.3 Enabling Microsoft Entra ID Authentication

2.4 Troubleshooting Tips

1. Registering PAM360 in Microsoft Entra ID Portal

To integrate PAM360 with Microsoft Entra ID and import users, PAM360 should first be added as a native client application in your Microsoft Entra ID portal. Follow the steps given below to register PAM360 as an application:

Log in to your Microsoft Azure portal.
Click App registrations from the Microsoft Azure home page.

Click + New registration from the top bar.
In the Register an application page, enter the following attributes:
1. Enter Name as PAM360 or any name of your choice.
2. Choose Supported account types - Accounts in this organizational directory only - Single tenant).
3. Enter the Redirect URI of PAM360 application.
Click Register. PAM360 will be added as an application in the Microsoft Entra ID portal.
You will be taken to the page with the details of the newly registered PAM360 application.
Click Authentication under Manage in the left pane. In the Authentication page, under Advanced settings, enable Allow public client flows by clicking Yes.
Click API permissions under Manage in the left pane. In the API Permissions page, click +Add a permission.
1. In the Request API Permissions page, , choose Microsoft Graph.
  1. Click Delegated Permissions and search for "read" in the Select Permissions search bar to populate relevant permissions. Select the option Directory.Read.All and click Add Permissions.
  2. Click Application Permissions and search for "read" in the Select Permissions search bar to populate relevant permissions. Select the options Directory.Read.All and click Add Permissions.
  3. Click Delegated Permissions and search for "access" in the Select Permissions search bar to populate relevant permissions. Select the options Directory.AccessAsUser.All and click Add Permissions.
Now, click the Grant admin consent button under Grant Consent.
In the pop up that opens, click Yes to grant consent for the requested permissions.

Once you have registered PAM360 with appropriate permissions, go to PAM360's web interface and start importing users using the steps detailed below.

2. Steps to Import Users from Microsoft Entra ID

Note: You can also import users by navigating to Admin >> Users >> Add Users >> Import from Microsoft Entra ID. However, Microsoft Entra ID Authentication can be enabled only from Admin >> Authentication >> Microsoft Entra ID.

The Microsoft Entra ID Server Configuration page will be displayed, from where you need to perform the below sequence of steps:
1. Importing users from Microsoft Entra ID
2. Specifying appropriate user roles
3. Enabling Microsoft Entra ID authentication

2.1 Importing Users from Microsoft Entra ID

Navigate to 'Users >> Add User >> Import From Microsoft Entra ID' or 'Admin >> Microsoft Entra ID >> Import Now'.
In the pop-up that opens, perform the following operations:
1. Click the New Domain and add the Microsoft Entra ID domain from which users and groups are to be imported.
2. Select the Authentication mode as App-Only Access Token. User Access Token will be no longer applicable from build 6000.
Note: For the existing users, the User Access Token method will continue to work (without further import/sync) until Microsoft deprecates its API services.
1. Select the Supply Credentials as Specify Client ID and Client Secret Manually. If you have stored the Azure Application of Microsoft Azure as a resource in PAM360, then select Use an account stored in PAM360.
2. If you have selected Specify Client ID and Client Secret Manually in the supply credentials:
  1. Enter the Tenant ID and Client Secret.
  2. Enter the CLIENT ID generated in the Microsoft Entra ID server while registering PAM360 as a native client application in your Azure portal.
3. To import only particular users and user groups from the Microsoft Entra ID, enter the required user name(s) in the comma-separated form in the field Users to Import and the required group names in User Groups to Import.
4. Add a synchronization schedule to keep the user database constantly in sync with your Microsoft Entra ID. In the Synchronization Interval field, you can enter the time interval at which PAM360 has to query Microsoft Entra ID and keep the user database in sync with Microsoft Entra ID.
5. After entering the required details, click Fetch Groups. If you have specified users/user groups to import, then click Import. PAM360 will list all the user groups available in your Microsoft Entra ID domain. Select required groups using the check boxes beside them and import users.
6. Once the import is complete, Import Summary will be displayed with the number of users imported successfully and the ones that failed. Once you click Close, you will be automatically taken to section 2.2: changing appropriate user roles.

2.2 Specifying Appropriate User Roles

After import, all the users imported from Microsoft Entra ID will be assigned the Password User role as shown in the Change Roles for users dialog box.

Click Change Role button against the users for whom you wish to change the role and choose an appropriate role from the drop-down.
To change roles for users in bulk, select the users using the check boxes and click Change Role at the top and choose an appropriate role from the drop-down. The changes will be saved as and when the roles are assigned.

Notes:

You can change the assigned roles anytime in the future by clicking Assign Roles Now in the Microsoft Entra ID Server Configuration page.

Assign Administrator role to at least one user from the list of users imported from Microsoft Entra ID as administrator privileges are required to carry out user management and other system operations in PAM360.

2.3 Enabling Microsoft Entra ID Authentication

The third step is to enable Microsoft Entra ID authentication—enabling this will allow your users to login to PAM360 using their Microsoft Entra ID domain password. Note that this feature will work only for users who have already been imported to the local database from Microsoft Entra ID. Before enabling Microsoft Entra ID authentication, ensure that AD authentication is disabled.

Navigate to Admin >> Authentication >> Microsoft Entra ID and click Enable Now under Enable Microsoft Entra ID Authentication as shown in this image.
Once Microsoft Entra ID authentication is enabled, you can disable local authentication under Admin >> Settings >> General Settings >> User Management. Click here to learn more about that.

2.4 Troubleshooting Tips

In PAM360, Microsoft Entra ID authentication will not work under two circumstances, which are explained below with possible solutions:

Users in the Microsoft Entra ID portal have Conditional Access enabled, which prevents sending of auth token to PAM360, leading to authentication failure.
Solution: Bypass this by disabling Conditional Access at both app-level and user level in the Microsoft Entra ID portal before enabling Microsoft Entra ID authentication in PAM360.
The Microsoft Entra ID portal has Multi-Factor Authentication (MFA) enabled.
Solution: Bypass this by disabling MFA in the Microsoft Entra ID portal.

In the place of Conditional Access and MFA, you can enable SAML Single sign-on in the Microsoft Entra ID portal. Click here to learn how to set up SAML authentication.


Importing Users from Microsoft Entra ID Integrate Microsoft Entra ID with PAM360 and import users and user groups from Microsoft Entra ID. Through this integration, users can login to PAM360 using their Microsoft Entra ID credentials, in both Windows and Linux platforms. After integration into PAM360, the user details and user group structure is maintained exactly as it is in the Microsoft Entra ID platform. Note: You can only import users who don't have multi-factor authentication (MFA) enabled in the Microsoft Entra ID portal. Following are detailed steps to register PAM360 in the Azure portal and import users into PAM360: Registering PAM360 in Microsoft Entra ID Portal Steps to Import Users from Microsoft Entra ID 2.1 Importing Users from Microsoft Entra ID 2.2 Specifying Appropriate User Roles 2.3 Enabling Microsoft Entra ID Authentication 2.4 Troubleshooting Tips 1. Registering PAM360 in Microsoft Entra ID Portal To integrate PAM360 with Microsoft Entra ID and import users, PAM360 should first be added as a native client application in your Microsoft Entra ID portal. Follow the steps given below to register PAM360 as an application: Log in to your Microsoft Azure portal. Click App registrations from the Microsoft Azure home page. Click + New registration from the top bar. In the Register an application page, enter the following attributes: Enter Name as PAM360 or any name of your choice. Choose Supported account types - Accounts in this organizational directory only - Single tenant). Enter the Redirect URI of PAM360 application. Click Register. PAM360 will be added as an application in the Microsoft Entra ID portal. You will be taken to the page with the details of the newly registered PAM360 application. Click Authentication under Manage in the left pane. In the Authentication page, under Advanced settings, enable Allow public client flows by clicking Yes. Click API permissions under Manage in the left pane. In the API Permissions page, click +Add a permission. In the Request API Permissions page, , choose Microsoft Graph. Click Delegated Permissions and search for "read" in the Select Permissions search bar to populate relevant permissions. Select the option Directory.Read.All and click Add Permissions. Click Application Permissions and search for "read" in the Select Permissions search bar to populate relevant permissions. Select the options Directory.Read.All and click Add Permissions. Click Delegated Permissions and search for "access" in the Select Permissions search bar to populate relevant permissions. Select the options Directory.AccessAsUser.All and click Add Permissions. Now, click the Grant admin consent button under Grant Consent. In the pop up that opens, click Yes to grant consent for the requested permissions. Once you have registered PAM360 with appropriate permissions, go to PAM360's web interface and start importing users using the steps detailed below. 2. Steps to Import Users from Microsoft Entra ID Log in to PAM360 and navigate to Admin >> Authentication >> Microsoft Entra ID. Note: You can also import users by navigating to Admin >> Users >> Add Users >> Import from Microsoft Entra ID. However, Microsoft Entra ID Authentication can be enabled only from Admin >> Authentication >> Microsoft Entra ID. The Microsoft Entra ID Server Configuration page will be displayed, from where you need to perform the below sequence of steps: Importing users from Microsoft Entra ID Specifying appropriate user roles Enabling Microsoft Entra ID authentication 2.1 Importing Users from Microsoft Entra ID Navigate to 'Users >> Add User >> Import From Microsoft Entra ID' or 'Admin >> Microsoft Entra ID >> Import Now'. In the pop-up that opens, perform the following operations: Click the New Domain and add the Microsoft Entra ID domain from which users and groups are to be imported. Select the Authentication mode as App-Only Access Token. User Access Token will be no longer applicable from build 6000. Note: For the existing users, the User Access Token method will continue to work (without further import/sync) until Microsoft deprecates its API services. Select the Supply Credentials as Specify Client ID and Client Secret Manually. If you have stored the Azure Application of Microsoft Azure as a resource in PAM360, then select Use an account stored in PAM360. If you have selected Specify Client ID and Client Secret Manually in the supply credentials: Enter the Tenant ID and Client Secret. Enter the CLIENT ID generated in the Microsoft Entra ID server while registering PAM360 as a native client application in your Azure portal. To import only particular users and user groups from the Microsoft Entra ID, enter the required user name(s) in the comma-separated form in the field Users to Import and the required group names in User Groups to Import. Add a synchronization schedule to keep the user database constantly in sync with your Microsoft Entra ID. In the Synchronization Interval field, you can enter the time interval at which PAM360 has to query Microsoft Entra ID and keep the user database in sync with Microsoft Entra ID. After entering the required details, click Fetch Groups. If you have specified users/user groups to import, then click Import. PAM360 will list all the user groups available in your Microsoft Entra ID domain. Select required groups using the check boxes beside them and import users. Once the import is complete, Import Summary will be displayed with the number of users imported successfully and the ones that failed. Once you click Close, you will be automatically taken to section 2.2: changing appropriate user roles. 2.2 Specifying Appropriate User Roles After import, all the users imported from Microsoft Entra ID will be assigned the Password User role as shown in the Change Roles for users dialog box. Click Change Role button against the users for whom you wish to change the role and choose an appropriate role from the drop-down. To change roles for users in bulk, select the users using the check boxes and click Change Role at the top and choose an appropriate role from the drop-down. The changes will be saved as and when the roles are assigned. Notes: You can change the assigned roles anytime in the future by clicking Assign Roles Now in the Microsoft Entra ID Server Configuration page. Assign Administrator role to at least one user from the list of users imported from Microsoft Entra ID as administrator privileges are required to carry out user management and other system operations in PAM360. 2.3 Enabling Microsoft Entra ID Authentication The third step is to enable Microsoft Entra ID authentication—enabling this will allow your users to login to PAM360 using their Microsoft Entra ID domain password. Note that this feature will work only for users who have already been imported to the local database from Microsoft Entra ID. Before enabling Microsoft Entra ID authentication, ensure that AD authentication is disabled. Navigate to Admin >> Authentication >> Microsoft Entra ID and click Enable Now under Enable Microsoft Entra ID Authentication as shown in this image. Once Microsoft Entra ID authentication is enabled, you can disable local authentication under Admin >> Settings >> General Settings >> User Management. Click here to learn more about that. 2.4 Troubleshooting Tips In PAM360, Microsoft Entra ID authentication will not work under two circumstances, which are explained below with possible solutions: Users in the Microsoft Entra ID portal have Conditional Access enabled, which prevents sending of auth token to PAM360, leading to authentication failure. Solution: Bypass this by disabling Conditional Access at both app-level and user level in the Microsoft Entra ID portal before enabling Microsoft Entra ID authentication in PAM360. The Microsoft Entra ID portal has Multi-Factor Authentication (MFA) enabled. Solution: Bypass this by disabling MFA in the Microsoft Entra ID portal. In the place of Conditional Access and MFA, you can enable SAML Single sign-on in the Microsoft Entra ID portal. Click here to learn how to set up SAML authentication.