[AUDIO LOGO] Hello, and welcome to this video. This video is called Safeguard for Managing Accounts to Single Sign-on. My name is Holger Wellne. I'm working as a pre-sales engineer at One Identity. And I'm going to guide you through this video.
This is the agenda of today. We're going to have a look on the big picture, then we're going to drive a little bit more into the details for Safeguard and Android and Azure. We're going to have a look on the prerequisites we're going to need, we're going to do some setup and configuration, and we will conduct some kind of function testing. Furthermore, we're going to have a look on SCIM provisioning. And on the end of this video, we're going to configure Safeguard to include Azure as an asset.
So this is the big picture. On the left-hand side of that screen, we're going to have Android or Azure Active Directory. In the center of the screen, you're going to see the Safeguard for privileged password appliance. And on the right-hand side, we're going to have an accessing user.
So users usually access the Safeguard for Privileged Passwords for authentication or to request stuff. Safeguard for Privileged Passwords will then relay that request to the Azure Directory or to enter an ID for authentication via federation. And in the end of the video, we're going to see how to configure Azure to send data down to Safeguard for Privileged Passwords using the skin protocol. So let's start.
So the first thing we need is something that we can play around with, so we need an SPP appliance. And the other thing we need is an Azure tenant, and we're going to make use of the One Identity Starling offering to put all things together. OK. So let's have a look on first things first.
So what do you need? You need some kind of Safeguard appliance. Where do you get the Safeguard appliance? Please contact One Identity to get one. Or if you're a partner, you can, of course, use the demo environment that we provide for you. You just need some kind of appliance.
That is one thing, and the other thing is an Azure tenant, of course. And the Azure tenant is something you could request as well for free. So if you just point your browser to demos.microsoft. And if you sign in with your Microsoft account.
And of course, I have to pass MFA. Now you can see that here is something called Experience or My Environments where you can request your Azure tenant. So let's have a look in My Environments. You see I have already created a demo tenant for this configuration.
And of course, you can just create additional tenants if you want. Just click on the blue one here, Create Tenant. It's pretty easy. It just takes a couple of minutes, then the tenant will be provisioned for you, and then you can play around with that.
The tenant name is auto configured. It is generated, so you cannot change it. So OK, that is the price to pay. But for this, it is just available for free for maybe 30 days, 90 days, or even a year. So just play around with it, no problem. And then just keep this one here because I just need access to my credentials because you see there are a couple of users already provisioned. And there's an admin user, and so on, and so on.
OK. The other one that we're going to use is Starling. So if we want to go to something like cloud.oneidentity.com. You're going to see the Starling page, and of course, you need to sign in to Starling. For this, you need an account. If you don't have an account, please feel free to create one. Nothing special-- pretty quick.
And once then you sign in to Starling, I use the Geo of the United States for this demo, but you can use a different as well. And after being logged in, you're going to see that I have subscribed to three services at the moment. So out of that, let's crack on at what to configure.
So the first thing we need is about our Safeguard for Privileged Passwords. Safeguard for Privileged Passwords is our Safeguard appliance for password management. And now you just log in with some administrative user you have created in the appliance. Mine is called splocaladmin. And here, you're going to see that that's the standard admin view of the appliance.
And here, you see that I have just a couple of users. It's just two. It's the admin and of course, the built-in bootstrap admin. The built-in bootstrap admin usually needs to be deactivated so that nobody else can use it because the password of it is well known or you simply just rename it or whatever you want or create your own standard administrator that you secure according to your needs.
OK. So anything else that we have configured here? Nothing special so far. So let's start with the Starling integration of that appliance. That is one of the prereqs for making this work. So go to appliance management, go to external integration, and select Starling.
And you see by default it is not joined to Starling. And to be joined to Starling, you just click on that button. But to make this possible, you need a Starling subscription, and that is the thing that we created earlier.
So the first thing, join to Starling. Here, you see there's a couple of things you have just to acknowledge. Click on Allow. And now you see you are now joined to Starling, which means that the Starling instance in the cloud knows this appliance.
So if you maybe have a look on your Starling appliance or on your Starling tenant, and you just go to this little symbol over there, and you try to click on Joint Products, you're going to see in my case, I have two. But in your case, it would be only one because yours is something like spp-something with some kind of timestamp at the end.
And this one is just my Safeguard on Demand instance that you have seen that I have subscribed to this service as well. But we don't play around with that one. We just use this appliance. And you can have lots of appliances joined to your Starling tenant. It's up to you.
OK. So see this? No problem. So the thing what we need is the realm. The realm is just the definition for what this is responsible for. So the Starling will be used as an identity and authentication provider.
And you just need to specify the realm, which is usually your domain name or the things that is your email identification, whatever. Because if you just look into my demo tenant. You see this is my realm. And I simply copy that, go back to my appliance, put it into Safeguard realm here. Paste here.
And if you just want to make sure that you will always get some kind of page where you log into Starling and something like that, maybe just let's set it here to the default, which requires users to always authenticate. That is the default setting. If you just remove this later on, you will implement single sign-on because this will just-- and as I said here, the users will all be required to enter the credentials on the external provider.
So this will definitely block single sign-on. But just to make sure that it works in the way as expected, maybe just for the first go, just leave it in. And then we're going to talk about that later on just remove that. So once this is done, simply click on Save.
OK. Now you have an appliance, you have joined that appliance to Starling. So what next? The next thing we need is some kind of registration in Starling as well. So we just need to go in our Starling tenant. So we have just joined the appliance.
The next thing we want to do is we want to register the directory. The registering of the directory makes, in this case, your Azure tenant known to Starling so it knows how to communicate with it. So if you click on Manage, you see there are no directory registered by default. What a surprise.
So click on Register Directory, and you can now select the directory. In this case, it's Azure. And here, you have something to provide. That is the display name and the directory tenant. So what is the display name? That is something like whatever. Maybe I just have it still in the copy and paste channel.
We can simply go to here and just make this one here. Copy it here, go to here, paste it here. So simply, we don't want admin. And then we just need the so-called ID of your directory tenant. I think that's not displayed here. You cannot see this, so you just have to have to request it.
And to do this, maybe we simply go to some kind of different browser just to separate our identities. And now if we go to portal.azure.com and we log in with some kind of other account-- and the other account in this case should be our admin. So it should be this one here, Copy. That seems to be that I have running multiple layers here in my Windows.
Paste here. In this case, it's admin. Go to next. And now I just want to get the password. The password is here. And hopefully, I can just enter this here. And sign in with that.
OK. Now we have our Azure portal for our demo tenant. And here is the Azure Active Directory. So you simply click on that symbol. And now here you find the tenant ID. So copy that tenant ID. Go up to the one that's installing here and paste the ID here. Paste.
And now you need to give consent. So you need to give approval that everything is OK. For this, you need to have some kind of administrative account in your Azure tenant. So we just simply click here on use different account. And now we of course need the other one. So we just have to go back to our tenant. So again, we are using our admin.
Click the admin. Go to next. Enter the password. Paste the password and sign in. OK. Now you see there is this One Identity Starling Directory Proxy application being registered in your tenant. And it just requests some kind of permissions. It is just read and read. This is sign in and read, read all groups, read profiles-- so nothing special. Click on Accept. And now you have registered your directory.
OK. So the next thing we need to do is to register your application. The first thing here is manage an application. And the application is something that is available in Safeguard. So if you go back to our SPT, and we go to Safeguard Access, to Identity and Authentication, we can download federation metadata.
If you just download that, and then you go back to the Starling page, go to Add Application, add [? SAML ?] application and select the file you have just downloaded before. Open it, create it, and create the application with that button.
OK. So what have you done? We have registered an application, installing the Starling the application points to metadata in Safeguard. Safeguard is running in the cloud and registered to Starling. And Starling has the directory which is your Azure tenant registered as well. So hopefully, it knows all that is required to make life easier for you. So let's try and see what's now possible.
So let's go back to our One Identity Safeguard for Privileged Passwords. And as you see, we have something like here, like user management. Of course, users. Users are identities that are allowed to log into Safeguard. And here, you have pretty much nothing. You see? Nothing, just the two of us here, the local admin and the admin.
So let's define a user group because we know that if we look into our tenant here, we have of course groups of users. You see? Lots of groups, like all company or all users. And of course, you have the appropriate single users, of course. And maybe click here.
And you're going to see that all these users are pre-configured in your tenant when you are requesting this demo tenant. OK. So what is easier, then? To go to the SPP and register the user group in Safeguard so that Safeguard can reach out via the Starling infrastructure to your Azure tenant and pull in all the information.
So let's see if that works. So click on plus to create a new user group. This is a directory user group because Azure is nothing else different as a directory. In this case, it is select here as Starling because you will utilize the Starling infrastructure. And here, you can give a search pattern for something you want to look for as the group name.
So in this case, we simply look for all. Click on Search. Here we go. And you see we have this all users. And now we can click on OK. And now you go for authentication. Authentication is how to authenticate for this user to try to log into Safeguard.
So this will be handled by Starling as well. So there's nothing else to select here because you have nothing else configured. And of course, you can use other authentication providers such as Active Directory or Azure itself as well. But you don't need that.
And here with the permissions is just the thing what do you want to give these users as their standard permissions? By default, a standard user requesting something in Safeguard does not need any of these permissions because these are appliance management permissions. Anything else what talks about what are you allowed to request, what are you allowed or able to see-- that lies in the security configuration of Safeguard that has nothing to do with these permissions here. Only one thing that might be handy is this personal password vault for instance.
OK. Or if you have a special group, it should get dedicated appliance permissions like a petition manager or an asset owner or whatever. Then you could maybe give them here permissions if that is required. By default, usually this is not required.
OK. And then simply click on OK. That may take a second again. I can just close this window. And now, if you go back to Users-- well, nothing has changed. But you know secret of Safeguard. ABR-- Always Be Refreshing. So just a click of the Refresh button, and you're going to see that Safeguard in the meantime has brought all the users from Azure into its configuration.
Isn't that cool? It is, indeed. The only thing what we need now to test is that really working? So let's just simply log out and maybe just grab some kind of user, maybe Emily B, whatever you want. So run out, log out here. And now choose the authentication provider as the external federation.
Go back to your tenant. Look for Emily. Here's Emily Brown. Copy that. Go to Starling. That's not the right one. This one here is the OneLogin one. So select External Federation. Paste Emily. Go back, get the password of it here.
Go back, log on. And now you see that you will be rerouted or redirected to Starling. And here, you need to log in as the Emily user again. So copy too early. So get back where Emily is. Copy the name again. Send it in here.
Please re-authenticate here, you see-- this re-authenticate. And now it asks you for the password. This comes from Azure. So again, get the password for all these users. Here's the user password. Sign into that account and paste it in here and sign in.
And now let's ask a couple of permissions because now it is some kind of registration. It will now register this second application that will be used to read in your Azure tenant, except that. Yes. And you see? Reroute it, authenticate it, installing. Reroute it to Azure, authenticate it to Azure, and log in to Safeguard. And this a single sign-on.
How does it work? You see in our SPP that we have just configured-- I just have to close that. OK. So here, you cannot see that because it is just a standard user. So if I just log out and log in with my local user again, you see that my security policy management has nothing to do with that. It is appliance management. It is external integration. It is Starling.
OK. It was already authenticated. So if I just clear this and save that, because we had several accounts to use this Emily user, and we were getting it right, we get the cookie already. But we didn't know that. So that was the reason why it was sent through directly. And on the other hand, that's all we need.
So if we now log out, and of course clear our-- oops, come on. Clear our browser completely. And simply relaunch it again. And now we click onto SPP. And now we use a user that we have never used before. Again, external federation.
Then we're going to go for-- how is it called? Alan Deyoung, how about that? Copy this. Paste it here. OK. And now it is just rerouted to Starling, my Alan Deyoung user. Copy the username.
Here is my username. Here is my Alan D. And now request the password because it has never been authenticated before-- no stored cookie, nothing, whatever, or ticket. So again, get the password. Get back to this one here.
And now external federation. Copy it here and log in and you're in. And that's the way we want to achieve. So straightforward, very easy.
So about SCIM-- if you look it up in the internet, it's a short abbreviation for System for Cross-domain Identity Management. So yeah, let's see how this works in Safeguard. For this, I'm going to log into my Safeguard instance in the cloud provided by Safeguard on Demand. So I'm already logged into my Starling tenant. And here is my Safeguard on Demand.
This looks pretty much familiar. And now I simply log in to my Safeguard for Privileged Passwords appliance. So I just use a local account. This is my standard administrator account for this one. And I have to provide the password. And because it's provided by an internet service, I just have secured the [? FIDO ?] key. So I have to pass this MFA, too. And now you see the standard thing here.
So where to configure SCIM provisioning in Safeguard? This is done under the appliance management in Safeguard access, in Identity and Authentication. So here you're going to see, if you click on the Add sign, there is something called SCIM. So let's go for that.
OK. There is a name, authentication, and permissions. We're going to crack on with that in the details in a little bit later, but first of all, let's have a look into our Azure tenant we want to use as the provisioning source. OK. So let us just move it here.
And oops, let's go down to my Azure tenant. This is just the information for my Azure tenant I might use. Just move it over there to have it ready for copy. I just usually use the admin account for this demo. And of course, we need a new browser. Good.
So now I go to my tenant. So this is portal.azure.com. And I sign in with my account for the admin. And I provide the password. Here we go. And I'm going to stay in that tenant.
So what we need to make this happen is we need an app. We just will create our own enterprise app. And just click on New Application. We will create our own application. We just give it a name. Something maybe like this one. And simply click on Create.
And here is our application. The thing we need is that we may want to assign users and groups to it. That will be the identities that are going to be provisioned. I have already created a couple of users here. They are all named SCIM. You see? There are three users-- SCIM user 1, 2, 3.
And I have created a group as well which is called SCIM Users. Whatever, this is just my naming convention for this demo. Choose whatever you want. And of course, the SCIM users are members of this group.
OK. And I'm going to provision the complete group. So I will not provision per identity. I will just provision the complete group members here via provisioning the group itself. OK. So what we now have to do now here is about going back to our enterprise application.
Click on that provisioning stuff here and assign users and groups. And here, you can just add the group. That is the users. And here is our SCIM users group, so simply select that and assign it. OK-- very easy basic things.
The next thing we want to do is about provisioning. And here is provisioning in your enterprise app. If you click on that, you want to manage the provisioning. So provisioning mode can be either manual or it can be automatic. And in automatic, you need a tenant URL and you need a secret token.
And that is the information you get from Safeguard. So if you go back to your Safeguard privilege passwords, click on this one here and give it a name. Maybe we just give this-- maybe the name of the tenant. This is just my convention. You can name it anything you want just to identify it.
Wonderful. OK. And now click on Apply. And now you're going to see the tenant URL. Copy it here, put it this way. And now you generate a new token. Here's your token. Copy it and paste it here.
And for this one, on authentication, you simply can set the identity provider for the newly provided identities. Maybe there's nothing here because we only have local in this case. But you could maybe define something that points to Azure.
And here, you have the usual permissions you want to assign to your provisioned identities or users in this case from the safeguard's point of view. Maybe you just give it this one here. OK. So just save that. And now you can click the Test Connection button.
And now we see connection was successful. So far, so good. So what to do next? Save your provider here in Azure. And then click on the overview or just simply close that. And if you click on Provisioning again, now you see a couple of things here as well. You have start provisioning and restart provisioning or edit the provisioning things that you have entered before.
You can, of course, view the provisioning details. And if you are running these provisioning in automatic mode, it will reprovision or start to refresh your provisions every 40 minutes. This is fixed. It cannot be changed-- at least I have not found a way to change it. So simply, if you just click on Start Provisioning, it will instantly start it.
And then we're going to see what's happening on the Safeguard side of things. So here, if you are clicking to Users and see what users we have, it is just our standard users that we have defined here, so nothing in. And here, we simply now click on Start Provisioning.
OK. So you see, it is just running. And here, you can just go for the provisioning logs. And you see there is a refresh here on the Safeguard side that some items have been modified. How easy is that? So click on Refresh, and you see now you have your users coming in here from Azure. Here they are. SCIM, SCIM, SCIM-- you simply can search for them.
And you see here is the user-- SCIM user 1, SCIM user 2, SCIM user 3, as defined. If we have a look here on the details, you're going to see authentication is local and permissions is the standard user. And of course, the personal password vault you have selected when you set up the provisioning cycle.
OK. And if you want to check on the Azure side of things-- if you just have your application ready, just look into the provisioning again, maybe after some time. So here's the provisioning. And you may see something like this. So it says, OK. It has already provisioned three users in one groups. That's exactly the thing that we see on the Safeguard side.
And if you want to have the provisioning details, here is the appropriate timestamp. Then that was the timestamp of the last provisioning cycle. And if you want to have a look into the provision logs, you're going to see that there is something displayed here.
So this is an update, and we have created something like a group and some kind of-- here's the user, user, user, user, and so on. So it is all logged here as well. So you can check it on the Safeguard side of things and on the Azure side of things, just to bring all things together. Wasn't that easy? It was, indeed-- so straightforward, very easy.
So the first thing we're going to need is our Azure tenant. So let's go to our Azure tenant. And I'm already logged in to my Azure tenant. And the first thing we're going to create now is an app registration. So click on App Registration because we're going to need this later for the Starling Connect service.
OK. That is the app registration. So click on New Registration and just give it a name. Maybe I'll just call it Azure as an asset. And the application access for the API is just for the single tenant variant.
And the redirect URI is that we have a web application, and we have a couple of stuff to enter here. The usual stuff we're going to use is something like this. That is the URL that points to your SPP. And simply click on Register.
Now go back to redirect URLs again. And add the different and a second URI. And this one is the thing you're going to need later for giving consent. And the URL is documented in the manual. The manual is about setting up the connector for Azure.
OK. In this case, simply save. Maybe we just have to configure a couple of other things. So the first thing, we just select is ID tokens. Account is single tenant. And the other ones are already set as required, so I'm going to save that.
OK. So we have now an app registration. With that registration, we're going to build something that is called a connector. And the connector now goes to the Starling Connect platform in our Starling service. But not that fast. So we have to do a little bit more configuration on this app, so the next thing we need is the API permissions. And the API permissions will just define what permissions in Azure this application may have.
OK. So add a permission. Click on Graph. And now you have the delegated permission and application permissions. That will be the same permissions we need for delegated and application permissions. And the appropriate permissions we need are-- the first one is the directory. So search for directory. Here it is.
And click on Directory Read Write All. Next one is on group. That is group read write all. And the last one is on the user. And the user is user read write all, manage identities all, and deselect user read because user read write all will have that permission as well.
OK. That was one for the delegated permission. Now click on the application permissions and select the same permissions. So again, Directory, Directory Read Write All, Group, Group Read Write All, and User, User Read Write All, and User Manage Identities All. Add these permissions.
Now you need to grant admin consent. So simply click on Grant Admin Consent and click on Yes. And now everything is laid out in the right way. So that is our app registered and configured in Azure. There's still one thing, but I'm going to delay that for later because you may see then why we need that.
OK. So let's just go out from here. And now go back to Starling. And if you go to Starling, you will see the so-called Starling Connect. So maybe just go back to the main page here. So you need to subscribe to the Starling Connect service. If you not have already done so, simply go down to Services and click on the Trial button on connect.
OK. Here's the Connect service. And because we are playing with Azure, we now will set up a connector to Azure. So let's just go for here and look for the Azure one. Here it is. And now give it a name. Maybe I'll just give it the name of my directory tenant. That is usually this one here. I just use this one here.
And this is my connector. Timeout is OK. We have a single tenant, and now we have something that is the client ID, client secret, and the directory ID. Where to get this from? It is in our Azure configuration for that app. So go back to our app registration.
Select the application you have configured before. And now you see that there are client credentials. So we first have to add a secret. And now we just click on the client secret, which is pretty much the password of the application.
Let me click on Add. And now you see here something that is called value. And this is the only time it will be displayed in this accessible to you. So simply copy that and save it maybe to an editor that you can have it handy for copy and paste. So this is the client secret. The client secret goes to here. The client ID you require is the app.
So if you just click on your app again, you're going to have the application client ID. That is the one we're looking for. So this is the client ID. And now you have to go for the directory ID. That is your tenant ID if you don't have it.
Just go to Home, Active Directory, and here is your tenant ID. Copy this as well. Go back and paste it here. OK. That's all you need. Click on Give Content.
You now need to use your tenant or your Azure tenant administrative ID. Here's the admin. And give the password. OK. Now you see all the permissions you have configured before. And accept that.
OK. Successfully consent and now test the connection. Connection was successful, so save the connector. Save and close. And now you have configured a connector in Starling which points to your directory in the cloud-- in this case, to your Azure tenant.
So go back to your Safeguard SPP. And now go to Asset Management. Because this is based on a connector, click on Connect and Platform because we now need to link this connector to some kind of asset configuration in Safeguard, so the first thing we need to do is to register that connector here in SPP.
So click on Register Connector and create one. Something like this. Maybe the same one. That's the password. That is my registered connector here that comes from my tenant name I have created in connect. And that will be the display name that is shown inside Safeguard.
OK. So simply click on OK. It may take a second. And now you have created a connector which support this appropriate function. So test connection, check password, change password, check the AP, change the API key, discover accounts. And discover accounts-- this is the one we're looking for.
And of course, we're going to do some kind of password management once we have discovered our accounts in Azure. OK-- so pretty straightforward. And now we have this registered connector. The next thing we need is our asset, so click on the asset. Click on Plus to create one. And let me just give it the same name. Something like that.
Click on the connection, and now the platform needs to be Azure because you have an Azure platform definition already in Safeguard. This Azure. Now this is the registered connector you have to select. That's the one you just have registered before. And the authentication type is on Starling.
And now you can test the connection, and it will not work. It says you have not the right or not enough permissions assigned to that application in Azure. It requires at least helpdesk administrator. OK. How to do this in your tenant?
So go back to your tenant, and now go for the home page and go to the Azure Active Directory and click on Roles and Administrators. Look for the helpdesk administrator role. Here is the administrator, and click on that. And now click on Add Assignments. And now you need to assign the service principle of your application.
How to get this? This is simply the ID of the application, or you can just simply search for this ID. If you don't know it, simply use for the name. So maybe just look for this one. And you see there is Azure as an asset somewhere here, as an enterprise app. And we're going to use this.
And simply click on that. And now you see the username, and it is the service principle. That's all you need. So you now have assigned this service principle to the helpdesk administrator role. Here you are. And you now can go back to your Safeguard. And now try again. So test the connection again.
And you see now it works. That's it. Click on OK. OK. You now have a connector for Azure. You have it registered. You have built an asset type on it, and you have successfully connected all things together. So the next thing we want to do is some kind of account management. So not user management, that's a different thing. It is account management.
And accounts-- how do you manage accounts in a directory? You discover accounts. To discover accounts, you simply need an account discovery. I already have created one, so let's have a look into it. So the first thing we need is a general thing, some kind of information. And the important thing is the account discovery rule which defines what is the way how to look for accounts.
So here, we just look for a group member, and the group member here are defined here on the conditions. And we are looking for a group that is named Azure Accounts. So let's go back to our Azure tenant, and you're going to see that I have already created a group in my Azure, which is Azure Accounts.
Here is Azure Accounts. And of course, Azure Accounts is a group, so it needs to have a couple of members. And the members of this are certain accounts. So I just have created three accounts of it-- Azure account 1, 2, 3 that are my accounts which are assigned to that group. And I will look up that group via the connector in SPP.
Sounds complicated? No, it is not. It's pretty easy. So let's go back to our discovery job, and you see that's the discovery job. And maybe you just click on Automatically Manage Discovered Account or whatever. Enable stuff here or disable stuff as you may require. And once this is done, you simply can run it.
So go back here and now discover the accounts. And there is no asset assigned at the current moment. So if you just want to make it complete, go to Assets. So go back to the assets, and here is your Azure tenant and the appropriate associated asset of it. And simply click on Edit.
Go to Account Discovery. Click on the Edit button and assign it the account discovery task you have created before. And click on OK. Go back here. Go to discovery. Click on the Account Discovery tab. Click on here and run it. That is the asset. Select it and run it. That may take a second.
It says you may have seen that. It said, discovered three new accounts. And let's go down to our accounts. Of course, you can go to the Accounts tab here. Now you see you have three accounts. These are the accounts that have been detected or discovered. And you see they are already managed. That's the asset name. That's the name of the account, the discovery job name, and so on and so on.
OK. And with that, if you look here on accounts, you have them all now here in your list. And of course, what you do not know currently is the password, because you just have discovered the account. So just to be sure that the password is in line with your appropriate passwords in Safeguard. So select it and go to Account Secrets and change the password.
Now it's changing the password. Now all the passwords have been changed and successfully recorded in Safeguard as well so Safeguard knows the current password. If there are some failures here, this is usually caused by the account password rules that you have or have not configured in your petition profile. So for instance, if you look in your petition, I only have the default one here. But if you just view into the details where you have a password profile-- and you're going to edit this as well-- you have something here that is the account password rule.
This is the rule that dictates how the password is constructed. And if your password rule is not complex enough so that it generates weak passwords from the Azure's point of view, the password change will fail because the password will reject it. So here, maybe simply edit that if you don't have one. So if I just have the password rule here-- so maybe I'll just give it this time, this one here, or maybe whatever complexity you require.
And of course, you can simply test the rule here. So I have already configured this rule here before. And it will generate passwords of that kind because I just have simply modified the default rule. You should, of course, define your own rule and assign it.
OK. So with all that, of course you now have the appropriate accounts available. So if you just want to test it, what do you do? The usual thing-- you create an access request policy and an entitlement. So if you just want to see what the current password is, of course, you now go to Security Policy Management. You create an entitlement. Maybe this is just Azure passwords.
This is just for testing. Save. The access request policy is a password request. Of course, we want to change it after we have displayed it. Now we have the scope. So in this case, we just may even use an account group or accounts in this case. And we simply use our free accounts.
Now, the requester is standard one. I will just use the defaults and assign my user to it. I use this one here. So I use my administrator account, assign that to the entitlement, and now I do a request. And of course, I just want to have all the three of them. Submit. Standard thing, nothing changed-- it is an asset as any other asset as well.
Now here we are. So let's check what the password is. View the password. Here is the password. View the password. Here's the password. And again, view the password. So it's pretty complex. It's pretty long, and it is in line with the password policy in my Azure tenant.
So if you simply check it in, password will be changed-- the usual stuff, nothing special. So you see it's straightforward, very easy. Thanks for watching.
[AUDIO LOGO]