Configuring Azure for Office 365 or Azure Password Reset Tasks

Due to changes that occurred in both the Azure API and PAM, this feature is no longer supported.

In order for PAM to reset Azure or Office 365 passwords, you will need to register a new application in your Azure Active Directory.

Please review the following steps to create, register and properly permission the App in your Azure AD.

Note that an Azure Portal Administrator account is required for this procedure.

Procedure

  1. Login to your Azure Portal (https://portal.azure.com) using an Administrator account.
  2. Locate and open the Azure Active Directory service. If you do not immediately see it in the left blade menu, click More Services and then enter Azure Active Directory in the filter box.
  3. Open App Registrations in the Azure Active Directory menu.

    4. AzureADApp-OpenAzureADAppRegistration

  4. Click New Application Registration.

    AzureADApp-NewApp

  5. Enter a Name for the new App. The name could be anything you choose, however we would recommend something like PAM Password Reset App so other Admins will recognize it. Select Application Type Native and Redirect URl http://graphclient. Click Create to continue.

    AzureADApp-CreateAzureADApp

  6. Open your new app by clicking on it once it is created.

    AzureADApp-OpenNewAzureADApp

  7. From within the App settings, locate and open the Required Permissions menu.

    AzureADAppRequiredPermissions

  8. In Required Permissions, click the Add button.

    AzureADApp-AddPermissions

  9. Select the API Microsoft Graph and Enable Access (check the box) for the delegated permission Sign In and Read User Profile. Click Select to continue.

    AzureADApp-MSGraphEnableAccess-SignIn

  10. When both the API and Permissions have been selected, click Done on the Add API Access blade. Microsoft Graph will now appear in the Require Permissions table with 1 delegated permission.

    AzureADApp-MSGraphAccess-Done

  11. Next we will need to modify the default Windows Azure Active Directory API. Click to select the Windows Azure Active Directory API. If it is not listed, click Add and then select it from the list of available APIs to continue.

    AzureADApp-SelectAPI-WindowsAzureAD

  12. In the Windows Azure Active Directory Enable Access menu, select the following 2 permissions, Access the directory as the signed-in user and Sign in and read user profiles. Click Save to continue.

    AzureADApp-WinAADEnableAccess-Options

  13. The Required Permissions for this App should now show Windows Azure Active Directory with 2 delegated permissions and Microsoft Graph with 1 delegated permission.

    AzureADApp-RequiredPermissions-2APIs

  14. In the Required Permissions menu, click the Grant Permissions button.

    AzureADApp-RequiredPermissions-2APIs-GrantPermissions

  15. Read and confirm the Grant Permissions description by clicking the Yes button.

    AzureADApp-RequiredPermissions-2APIs-GrantPermissions-Confirm

  16. The configuration is now complete. Return back to this registered App’s Setting page, locate and copy the Application ID value.AzureADApp-ApplicationID

  17. Login to PAM with a Global Administrator account and navigate to Administration > Settings > Parameters.

  18. Locate the field Azure App ID and paste here the App ID that was copied from Azure.AzureADApp-PAM-ID

  19. Click the Save button to complete the operation.

    AzureADApp-XTAM-ID-Save

The configuration is now complete.

At this point, we would recommend testing this password reset function on a test Azure Administrator or Office 365 Global Administrator account.

If the password reset fails with a message about granting consent to the App, please review the steps again and ensure everything is setup correctly.

 

If questions remain or issues arise while using PAM, please contact our Support Team https://support.imprivata.com/.