Skip to main content

We are facing issue in password rotation after enabling MFA in Entra ID and our current version is 23. We are currently using o365 for reading the accounts & systems in AD. When we reached out to BT support they have suggested to onboard Entra ID or Azure in BT. Firstly we have onboarded BT in Azure and followed the below process in BT .
 

Password Safe setup

Add the Entra ID Functional Account

1. Log in to the Webconsole with a BT administrator account

2. Click Quick Navigation, search for function and select Privileged Access Management: Functional Accounts.

3. Click Create New Functional Account

4. Select the Entity Type Directory

5. Select the Platform Microsoft Entra ID

6. Enter the Username in UPN format of the test account. This is used for testing.

Note:
This account looks up accounts that are added. If the test account gets results back, the test is marked as okay and the user can be added. 

7. Enter the following values:

  • Application (client) ID - from the first application created
  • Test Application (client) ID - from the second least privilege test application created
  • Tenant ID - from the first application created
  • Client Secret - from the first application created

Image of step 4 to 7

8. Enter a name in the Alias field

9. Select a Workgroup

10. Click Create Functional Account button

 

Create Managed System

1. On the left navigation pane, click Managed Systems

2. Click Create New Managed System

3. Select Entity Type Directory

4. Select the Platform Microsoft Entra ID

5. Enter a domain name for example domainname.onmicrosoft.com and the Forest Name can be left empty

6. Select the Workgroup that is the same as the functional account

7. Ensure Automatic Password Change option is set to Enabled

Image showing steps 3-7

8. Expand Credentials and select the functional account created above

9. Click Create Managed System

 

Onboard Entra ID Managed Accounts

There are two ways to onboard Azure managed accounts: manually or using a Managed Account Smart rule.  Accounts can be onboarded using the Group Name or UPN (starts with/ends with) filters.

 

Creating a Managed Account Smart Rule

1. On the left navigation pane, click Smart Rules.

2. Select Managed Account from the Smart Rule type filter dropdown.

3. Click Create Smart Rule + and configure the role on the new screen.

4. Choose or create a Category and give the smart rule a name and a description

5. In the Selection Criteria choose Azure Directory Query, Group Name equals (=) choose an appropriate group.

6. In the Actions sections select Manage Account Settings and set Enable Automatic Password Management to yes to change the account passwords. If you do not want the passwords to change on the accounts select no.

7. Click Add Another Action and select Show Managed Account as Smart Group.

8. Click Create Smart Rule button.


https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sys_kb_id=b99742a14732e210b77b3ddbd36d4382

But we are encountering below error while fixing the issue, can someone provide guidance and solution to fix the issue.

An unknown error occurred : Microsoft.Graph.Models.ODataErrors.ODataError: Exception of type 'Microsoft.Graph.Models.ODataErrors.ODataError' was thrown. at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.<ThrowIfFailedResponse>d__28.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.<SendAsync>d__20`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.<SendAsync>d__20`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Graph.Users.Item.UserItemRequestBuilder.<PatchAsync>d__139.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at BeyondTrust.RetinaCS.PasswordSafe.Agents.Executors.ChangePassword_Azure.<>c__DisplayClass4_0.<<ChangeAccount>b__0>d.MoveNext()

The Microsoft.Graph.Models.ODataErrors.ODataError indicates a problem with the API request being made by BeyondTrust (BT) to Microsoft Graph. The most likely causes are incorrect permissions or a misconfigured client secret for the application registered in Entra ID.

Have you looked at this one?

 

Reply


Badge Earners

  • BCA: AD Bridge
    Arif_786has earned the badge BCA: AD Bridge
  • BCIE: Password Safe
    KKadiogluhas earned the badge BCIE: Password Safe
  • BCSE: Password Safe
    Artvinlothas earned the badge BCSE: Password Safe
  • BCA: Password Safe
    spuwarhas earned the badge BCA: Password Safe
  • BCA: Endpoint Privilege Management - Mac
    T-Dawghas earned the badge BCA: Endpoint Privilege Management - Mac
Show all badges
Terms & ConditionsCookie settings