Active Directory and Entra ID Integration
AD Sync schedule
The Active Directory sync with Passportal takes place every 45 seconds once enabled.
AD Sync Overview
The Windows Agent allows you to sync and manage your Active Directory credentials within Passportal. This allows you to enable automatic Password Rotation as well as other options. The Windows Agent is also used to setup Blink users within Passportal.
The Windows Agent can be downloaded from 2 locations.
- From within the Edit Client menu, where Connect to Active Directory or Active Directory + Entra ID is set for Microsoft Sync, click the Active Directory Settings button, and then click the Download Windows Agent link near the top of the settings dialog window.
- From Settings > Downloads > Download - Passportal Agent.
The following gives a brief description of each of the Client configuration settings.
- Custom Rotation Policy: If you enable rotation policy, you can determine how frequently passwords will be rotated. If the password is synced with Active Directory, and rotation is enabled, the password will be randomly generated and applied to the password, then synced down to Active Directory. See Credential Rotation for further details.
- Enable Site Login: requires the Site product. Site allows partners to deliver Branded Password Security as a Service. Site further delivers the ability to automatically and securely share approved passwords between the MSP and their clients in co-managed IT environments.
- Forced Credential Types: This forces the client to use the credentials list from the organization
- Agent Key: The Agent key is required to install the Windows Agent - this is only accessible if the user has the Setup AD Sync permission
- Microsoft Sync: selection of either Connect to Active Directory or Active Directory + Entra ID allows this client to be selectable when configuring the Windows Agent during install.
- None
- Connect to
- Connect to Active Directory
- Active Directory + Entra ID
If you enable rotation on an end user password they will not be notified of the new password that is generated.
The following gives a brief description of each of the options within the Active Directory Settings.
Active Directory Settings
| Setting | Description |
|---|---|
| Sync behavior | |
| Mute Agent | Turns off all password processing for the agent. |
| One-way sync | Password changes are sent one-way only and any changes at the destination will be overwritten. |
| AD to Passportal | Changes from AD are sent to Passportal on sync. Changes in Passportal will get overwritten by Windows agent. |
| Passportal to AD | Changes from Passportal are sent to AD on sync. Changes in AD will get overwritten by Windows agent. |
| Two-way sync | Password changes are sent both ways on sync. Password must be changed first in Passportal for this to work. |
| Services | |
| Update Service Credentials on Network | Update all network services with password changes. |
| Auto Restart Updated Services | When service account logins are updated, restart the service. |
| User Settings | |
| Unlock Windows Accounts on resets | When resetting an account via Blink also unlock the account. |
| Auto Create Users as Passwords | When a password change is detected, create the user as a password in Passportal |
| Force Username to UPN |
When passwords are automatically created, employ User Principle Name (UPN). When Active Directory + Entra ID sync is enabled, forcing the username to UPN may disrupt Entra ID syncing if the agent domain name is different than the Entra ID domain name. |
| Auto Create Missing Windows Users | Create the user in Windows if present in Passportal and set to update password. |
| Blink app | |
| Agent Settings Override Blink Options | When this setting is off, the options in the Blink app will be used for password resets |
| Require password change on Blink resets | When Blink users request password resets, true means they will be forced to change their password at next login. |
| Agent folder settings | |
| Folder Path - Sync Agent 4.1.0 or higher to use these settings |
Folder where synced passwords will be created. Available after an Agent 4.1.0 and above has synced. Configure to automatically store any new synchronized passwords in the selected folder rather than in the root of the client. This ensures that any sensitive passwords appear in this folder first before moving them elsewhere. For additional security and restrict access, apply multiple security groups to the selected folder. Use in conjunction with the Org Unit Filter to select which Organization Units synchronize to the folder. |
| Org Units Filter - Sync Agent 4.1.0 or higher to use these settings |
Select the Organization Units you want to sync with ". Available after an Agent 4.1.0 and above has synced. Choose the Active Directory Organization Units to synchronize with Passportal. After selection, Passportal only synchronizes with those units included in the filter. Org Units Filtering does not apply to default Organizational Unit structures which always synchronize. |
