Connect Azure AD to Password Boss

The Password Boss Azure AD connector allows you to create and update user account in Password Boss directly from Azure AD.

This connector does not synchronize the user's AD password to Password Boss.

👍

Syncing groups from Azure Active Directory to Password Boss

Groups can also be sync'd to Password Boss. Details are in the Synchronizing Groups article.

👍

Using sync Rules to customize Sync

sync rules are used to determine the actions taken in Password Boss when changes are made in Active Directory. Details of the sync rule are in the Sync Rules article.

Creating a group in Azure AD to sync to Password Boss

The Azure Active Directory connector work by monitoring group in Active Directory. When users are added to the group the user accounts are created in Password Boss. When users are removed from the groups, disabled or deleted the user accounts in Password Boss are disabled, although this is a setting you can change in the Sync Rules tab of the connector in the Password boss Portal.

  1. Create a new security group in Azure AD named Password Boss Users.
694694

Tip - click the images to make them larger

Create a new application registration

  1. Go to https://portal.azure.com
  2. From the left menu click All services
  3. Click Azure Active Directory
798798

Tip - click the images to make them larger

  1. Click App registrations
  2. Click New registration
815815

Tip - click the images to make them larger

  1. Name your application “Password Boss AD Connector”
  2. In the Supported Accounts Type section select Accounts in this organizational directory only
  3. Click the Register button to create the application.
816816

Tip - click the images to make them larger

Configure API permissions

  1. After saving the new AD connector you should be on the Overview page for the new connector. Note: Microsoft is frequently changing these pages and flow, so you may need to navigate manually to the Overview page as shown in the screenshot below.
  2. Click View API Permissions
590590

Tip - click the images to make them larger

  1. Click Add a permission
587587

Tip - click the images to make them larger

  1. Select Microsoft Graph
808808

Tip - click the images to make them larger

  1. Select Application permission
817817

Tip - click the images to make them larger

  1. You will need to set the following two permissions
    Group -> Group.Read.All
809809

Tip - click the images to make them larger

User -> User.Read.All

803803

Tip - click the images to make them larger

  1. Click Add permission at the bottom

  2. Click Grant admin consent for [Org Name]

590590

Tip - click the images to make them larger

  1. Click Yes

Create a client secret key

  1. Select the application you created.
  2. Click Certificates & secrets and then click New client secret
590590

Tip - click the images to make them larger

  1. Name the key Password Boss Secret and set the expiration to Never
588588

Tip - click the images to make them larger

  1. Click Add
  2. Copy your secret key now – it is not shown again. We recommend placing the secret key in a digital Note in Password Boss. You will need the key to finish the configuration on the Password Boss Portal.
697697

Tip - click the images to make them larger

Copy application ID and tenant ID

  1. From the Overview tab of the App registration you just created copy the Application (client) ID and the Directory (tenant) ID. You will need these values to finish the setup on the Password Boss Portal.
983983

Tip - click the images to make them larger

Specify redirect URIs

  1. From the Overview screen on the App registration click Add a Redirect URI
983983

Tip - click the images to make them larger

  1. Add the following two URI’s and then click Save
https://partner.passwordboss.com/azure/callback
https://portal.passwordboss.com/business/connectors/azure/callback
11751175

Tip - click the images to make them larger

The remaining configuration happens in the Password Boss Portal

Install the Azure Active Directory Connector

  1. Open the Password Boss Portal.
  • In the Partner Portal, the connector is located on the Connectors tab for each Company.
  • In the User portal, the connector is located on the Integrations tab.
  1. Click Install
516516

Tip - click the images to make them larger

  1. Save the Authentication token for future use and click Next.
786786

Tip - click the images to make them larger

  1. Enter the client ID, Client Secret and Tenant and click Verify Connection
780780

Tip - click the images to make them larger

  1. You will be redirected to Microsoft in your browser to authorize the connection. Click to provide consent and click Accept.
435435

Tip - click the images to make them larger

  1. After successful verification at Microsoft you will see Connection Verified.
  2. Click Next to continue
  3. On the Users & Groups tab click the green button to select the Password Boss Users group that you created in the first section of this guide. The group selected here is the group that will be synchronized to Password Boss. Notes: As a best practice use a dedicated group only used for managing users in Password Boss. Only one group can be selected for synchronization to Password Boss.
782782

Tip - click the images to make them larger

  1. Optional - Select Azure groups to sync to Password Boss. Any groups select will be synchronized to Password Boss as long as the groups contain users who are included in the sync group you specified above. Empty groups will not be synchronized.
  2. Click Next
  3. Review the sync rules. In most cases, the default setting will be the best choice.
  4. Click Save Changes
787787

Tip - click the images to make them larger

When you return to the connector list in the portal you will see the connector with a status of Waiting for connection.

11691169

Tip - click the images to make them larger

Normally this status will transition to Connected with a couple of minutes.

11581158

Tip - click the images to make them larger

Users whose accounts were synchronized from Azure AD will show Azure AD in the Managed By column of the Users tab of the portal.

Troubleshooting synchronization

Synchronization runs every minute with Microsoft. If you have made changes in Azure AD that are not being updated in Password Boss follow these troubleshooting steps.

  1. In the Password Boss Portal, what status is shown for the AZ AD connector?
    Connected means the last connection to Microsoft was successful
    Unauthorized means you need to reauthorize the Azure AD connector. Edit the connector from the Azure Auth tab click Verify Connection

  2. Check your Password Boss Users group in Azure AD to confirm the correct users are in the group.

  3. If synchronization seems stuck you can perform a manual synchronization. Select the checkbox next to the connector and from the Actions menu select Synchronize Now.