Automatic Rotation and Reset Azure and Office 365 Passwords

Due to changes that occurred in both the Azure API and PAM, this feature is no longer supported.

If Azure or Office 365 Admin accounts are shared or if they must remain secured, then it is imperative that they be stored in a secure location which provides the ability to rotate or reset the password as needed or automatically.

This limits the ability of highly privileged Administrator accounts escaping the confines of your IT perimeter and being fished or social engineered by bad actors.

 

In the following article, we will describe the process of using Privileged Access Management to automatically rotate or reset passwords associated to Azure or Office 365 accounts.

The first section will detail the configuration required for rotating the passwords for Admin accounts and the second will detail the process for non-Admin accounts.

 

Before we begin, please be sure that you have first read about and implemented the required Azure Active Directory App described in this article.

This is a required step, so please do complete that process before continuing here.

 

Azure and Office 365 Administrator Password Rotation or Reset

Azure and Office 365 Non-Administrator Password Rotation or Reset

Administrator Password Rotation or Reset

Azure and Office 365 Administrator Password Rotation or Reset.

The following section describes the process for Administrator account password resets. Scroll down to the second section for non-Administrator accounts.

 

  1. Create a new record using the Record Type Azure.

    2. FAQ-AzurePasswordReset-CreateRecord

  2. Populate each required field in the record as necessary for your Admin account. User and Password will define the Administrator account that will have its password rotated. Please note that if you wish to use this Record with the PAM Browser Extension to auto-fill web log in forms, then add the URL login.microsoftonline.com to the Description field.

    FAQ-AzurePasswordReset-AzureRecord

  3. Click Save and Return to continue.

  4. With the record created, you can now execute the Password Reset to test the functionality. Return to the record’s page, click the Execute dropdown and select Password Reset Azure.

    FAQ-AzurePasswordReset-Execute

  5. On the Schedule Job page, either use the automatically generated password or enter you own and then click the Schedule Job button to continue. If you enter your own password, ensure that it confirms to the Formula rules and click Validate before continuing.FAQ-AzurePasswordReset-ScheduleJob

  6. The Password Reset task will be added to the Job Queue and processed in order. After a few seconds or longer (depending on the Queue order), the reset Job will be processed and removed from the Queue. To check the status of the Job, click the Job History button.

    FAQ-AzurePasswordReset-JobQueue

  7. Once the Job was processed successfully, the password has been reset. You may now test the new password by using it to login. Click the Unlock button to reveal and copy the new password or if deployed, use the PAM Browser Extension to auto-fill the sign in form (at login.microsoftonline.com) with your newly rotated password.

    FAQ-AzurePasswordReset-UnlockedPassword

 

And that’s it. You are the Admin account associated to this record, and can now have its password rotated on an automated basis. A few other areas to explore while you are here:

  • Formula: If you want to increase the complexity of the Admin password, the Formula option allows you to configure the password length and use of non-standard characters.
  • Policies: The Policy assigned to this Password Reset Azure Task can be configured to automate this reset process rather than having to manually execute the Task. Explore the various options available to schedule this task based on time (once a day) or event (when unlocked) to satisfy your security requirements.
  • Sharing: If you need to share this record, and ultimately this Admin account, with other users don’t email them the user and password. Instead share this record with them so they will always have access to the most recent password in a secured and audited PAM system.

Non-Administrator Password Rotation or Reset

Azure and Office 365 Non-Administrator Password Rotation or Reset.

The following section describes the process for non-Administrator account password resets.

This differs from Administrator accounts and requires a few additional steps because of how the Azure AD App is configured.

  1. Create a new record using the Record Type Azure.
  2. Populate each required field in the record as necessary for your Admin account. This record will be used later to execute the Password Rest task for the non-Admin account.
  3. Click Save and Return to continue.
  4. Now we will create another new record using the Record Type Azure for our non-Admin account.
  5. Populate each required field in the record as necessary for your non-Admin account. User and Password will define the Administrator account that will have its password rotated. Please note that if you wish to use this Record with the PAM Browser Extension to auto-fill web log in forms, then add the URL login.microsoftonline.com to the Description field.
  6. Click Save and Return to continue.
  7. Click the Tasks button for this new record to open the Task view.
  8. In this example, we are going to make this Task unique to our new record, but you may wish to configure this option on the Azure task itself in order to take advantage of Inheritance. Click the Make Unique button.

    9. FAQ-AzurePasswordReset-MakeUnique

  9. This Password Reset Task is now unique to this record only and can be edited. Locate the Shadow Account field along the top and type or select the Record Name for the Azure Admin record created earlier in steps 1-3. The Shadow Account will be used to execute the Task rather than the primary non-Admin account saved to this record. Learn more about Shadow Accounts.

    FAQ-AzurePasswordReset-ShadowAccount

  10. When the Shadow Account has been selected, click Save to continue.

  11. With the non-Admin Azure record created and the Admin account added to the Task as the Shadow Account, you are now ready to rotate this account’s password. Return to the record’s page, click the Execute dropdown and select Password Reset Azure.

  12. On the Schedule Job page, either use the automatically generated password or enter you own and then click the Schedule Job button to continue. If you enter your own password, ensure that it confirms to the Formula rules and click Validate before continuing.

  13. The Password Reset task will be added to the Job Queue and processed in order. After a few seconds or longer (depending on the Queue order), the reset Job will be processed and removed from the Queue. To check the status of the Job, click the Job History button.

  14. Once the Job was processed successfully, the password has been reset. You may now test the new password by using it to login. Click the Unlock button to expose and copy the new password or if deployed, use the PAM Browser Extension to auto-fill the sign in form (at login.microsoftonline.com) with your newly rotated password.