Creating Password Rotation in Azure via Azure CLI

PAM Core Executions
1

To automate user password rotation in Azure using the Azure CLI, follow the steps below.

1. Necessary Requirements

Before proceeding, make sure the following requirements are met:

  • Unix/Linux device configured.

  • Azure CLI installation on the Linux device.

  • Tenant ID, Client ID and Secret ID of an Enterprise Application with the “Password Administrator” permission.

2. Creating the Enterprise Application in Azure

To correctly configure the Azure Enterprise Application, follow the guide below and adjust it to the organization’s needs.

Note: Other security configurations may be required according to the organization’s policies.

image
image1920×911 121 KB

image
image1920×911 81.9 KB

image
image1920×911 88.5 KB

image
image1920×911 71.1 KB

image
image1920×911 80.4 KB

image
image1920×911 62.2 KB

3. Configuration in Senhasegura

  1. Create a Linux Device in senhasegura.

  2. Clone Azure Credentials to the new Linux device.

  • Configure the relationship between parent and child credentials in the system.

4. Creating the Password Change Template

Now, the password change template will be configured:.


set-new-line-mode unix

set-read-timeout 45

set-connect-timeout 30

set-ssh-version 2

# Define english as default language

expect-regex "/[$|#|>]/"

exec "export LC_ALL=C"

# Ensure no account is connected

expect-regex "/[$|#|>]/"

exec "az logout"

# Connect to Azure AD

expect-regex "/[$|#|>]/"

exec "az login --service-principal --allow-no-subscriptions --username 'CLIENT_ID' --password 'SECRET_ID' --tenant 'TENANT_ID'"

# Change user password

expect-regex "/[$|#|>]/"

exec "az ad user update --id '[#USERNAME#]' --password '[#NEW_PASSWORD#]' --force-change-password-next-sign-in false --verbose"

# Ensure change password success (status HTTP 204)

expect "*Response status: 204*"

Replace the following values ​​in the script:

  • CLIENT_ID: Enterprise Application Identifier.

  • SECRET_ID: Secret password generated for authentication in Azure.

  • TENANT_ID: Tenant ID in Azure.

  • [username#] and [#NEW_PASSWORD#] will be dynamically filled in by senhasegura.

5. Configuring Password Rotation Execution

  • Configure the automatic execution of password rotation by senhasegura, linking the template above to the correct credential.

  • Make sure that Senhasegura can access the configured Linux device.

6. Validation

After implementation, run a test to confirm that password rotation occurs correctly.

Conclusion

With this configuration, the rotation of Azure user passwords through the Azure CLI will be automated, ensuring compliance and security in access.