Using Azure Key Vault for Active Directory workflows

Using Azure Key Vault for Active Directory workflows

STEP 1: Get the Privileged Action Gateway (PAG) VA ready

Setup a PAG cluster and add a new VA. Do not add an existing VA. Make sure the VA meets minimum hardware requirements such as

• LAB VA – 2 CPU/Proc and 8GB
• Prod VA – 4 CPU/Proc and 16GB

If the VA is not adequately sized you may get errors like “invocation command expired”

In your VA if you do not have it configured for internal DNS then create a hosts.yaml file. In the file add an ip address for the following

• Domain name
• Domain fqdn name
• Domain controller name
• Domain controller fqdn name

STEP 2: Enable Ldaps in your domain

The AD workflow makes Ldaps query to your DCs, that is the built in operation. So when the AD card form asks for a port, do not put 389, its asking for your Ldaps port. The default is 636 but there are some security conscious organizations that use different ports for their network services from the publicly known ports.

If you do not have Ldaps in your domain then

1. Setup a CA authority
2. Issue a domain controller certificate for your DCs
3. Open the ports on your DC for Ldaps query
4. Verify Ldaps query using LDP tool from a remote server or workstation

STEP 3: Setup Azure Vault secret

Create an AD account that will be used by the workflow, name it “sailpointADwfw” for username. We will store the phrase before the “@” sign of the UPN in a secret in the Vault. The upn is important, make it [email protected] (for example). I would advise avoid special characters in the password, use a passphrase with numbers, lower and uppercase. There may be issues with “@” or “/” characters.

Give the account rights in the AD to manage OU, users and groups.

Go to Azure and create a secret for the AD account password and username.

1. Search for Key vault
2. Create a Vault call it “ISCVault”
3. In the Vault created, go to Objects/Secrets
4. Create a Secret called “sailpointADwfw”. Put sailpointADwfw as the secret
5. Create a Secret called sailpointADwfwpwd. Put the password of sailpointADwfw as the secret

SETUP 4: Create an Entra App reg for Secret retrieval

Go to Entra.microsoft.com and

1. In the side menu go to Applications/ App registrations
2. Create an App reg call “ISCWorkflow”
3. Go to API permissions and give Delegated access to the Azure Key Vault/user_impersonation (Have full access to the Azure Key Vault service)
4. Go to Certificates and Secrets, create a secret called ISCVASecret, give it 2-year expiration. Store the secret info somewhere before you click ok.
5. Go to overview of the app reg and store the application id or the client id.

Go to the ISCVault

Click Access, give the ISCWorkflow App reg the following roles, Key Vault Administrator, Key Vault Reader, Key Vault Secrets user

STEP 5: Create the Credential Provider

Log into ISC

• Click Admin/Connections/Credential Providers
• Click Create new
• Select Azure Key Vault
• Name: Entravault
• Description: EntraVault
• Owner: Myself
• VA Cluster: Your regular cluster (Not PAG)

Click Connection settings, enter

• Client ID
• Client Secret
• Oauth URL: Enter you onmicrosoft domain name not your Tenant id e.g https://login.microsoftonline.com/mydomain.onmicrosoft.com/oauth2/v2.0/token
• Scope: Accept the default - https://vault.azure.net/.default
• API version: it should be 7.4 else enter it there.

STEP 6: Setup the workflow

Create a Workflow with 3 cards

• Scheduled Trigger
• Active Directory
• End step success

For the Active Directory card enter

• PAG Cluster you created
• Choose a command
• Enter the domain controller name. Make sure it is resolvable on the PAG VA
• Enter the Ldaps port
• Enter the domain fqdn. Make sure it is resolvable on the PAG VA.
• Authentication username: Ldaps bind works well with the upn name not the samaccountname. But the “@” sign in the UPN will cause issues with the ISC retrieval that is why we stored just the phrase or name before the upn @ sign in the vault. We will retrieve that value and append the rest of the upn to it as a suffix e.g. “@myupndomain.net. So it would look like this

secrets://EntraVault/https%3A%2F%2FISCVault.vault.azure.net%2Fsecrets%2FsailpointADwfw/value?suffix=%40myupndomain.net

• Authentication Password:

secrets://EntraVault/https%3A%2F%2FISCVault.vault.azure.net%2Fsecrets%2FsailpointADwfwpwd/value

STEP 7: Test the workflow

Test the workflow to validate

If you get invocation command expired the timeout is on your VA and I would suggest you beef up your VA resources.

Thanks for sharing this detailed walkthrough @ugochuik!

This is an excellent reference for setting up Azure Key Vault integration with AD workflows in SailPoint ISC, especially with real-world context like LDAPS configuration and credential retrieval logic.

Overall, this is a top-notch resource and fills a gap for many trying to leverage PAG + Vault-based credentials in ISC workflows. Looking forward to more of your posts!

Hello @ugochuik

That’s definitely a process I was looking for, thanks for sharing such detailed explanation on how to set up the Azure key vault within the worktflows. I like how you stepped every process and went over single detail.

My two cents, I believe your article is geared towards a learning experience so set your post as a blog draft, that way you can get 400 points. Keep sharing insightfuls prompts!

Thanks @eberteo @TheOneAMSheriff
I would like the 400points for blog submission but there is so much more extra stuff that is required to qualify for a blog
I am glad it is useful to many, thats my goal, fill the knowledge gaps and share.
I am working on 2 other topics which I have not found clear direction on and I will share when I am ready.