Question

Can I manage the user that is user by Adaxes to connect to Active Directory with Privilege Access Management (PAM)?

Since this user can change user's password, attribute, etc it become critical. We would like to manage this user so that PAM can change/rotate the password periodically

Answer 1

Hello,

All operations in a domain managed by Adaxes are performed using the account specified for the domain. You can configure PAM to automatically change/rotate the password of the account, however, it will require updating the password in Adaxes as well. For information on how to do that, have a look at the following help article: https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.

Comments

Hello,

So I will need to update the password periodically in Adaxes as well?

Is there any way to call REST API to PAM from Adaxes?

---

Hello,

So I will need to update the password periodically in Adaxes as well?

Yes, that is correct.

Is there any way to call REST API to PAM from Adaxes?

It should be possible using a PowerShell script. The following Microsoft article might be helpful: https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/privileged-access-management-rest-api-reference.

---

the question the, can we change ChangeManagedDomainServiceAccount through API?

So Adaxes will call the API from PAM. Can powershell inject credentials to Adaxes?

---

Hello,

Sorry for the confusion, but we are not sure of the workflow you want to have. Please, describe it in all the possible details with step-by-step live examples.

For your information, it is possible to use a script to update credentials of a managed domain in Adaxes: https://adaxes.com/sdk/SampleScripts.ChangingCredentialsForManagedDomain.

---

here is the live example.

to connect to AD from Adaxes we user some credentials let say AdaxesAdmin.

There's a policy that every username that has admininistrator capability has to managed by PAM, so PAM will rotate the password periodically for example every one month. Once this password managed by PAM, we need to request the current password to PAM.

So, if AdaxesAdmin is managed by PAM, is there anyway to re-inject this new password to Adaxes automatically?

---

Hello,

You can use the following script to update credentials of a domain managed by Adaxes: https://adaxes.com/sdk/SampleScripts.ChangingCredentialsForManagedDomain. Unfortunately, we were not able to find any information on PAM being able to make API requests automatically when rotating a user password. We recommend you to check that with Microsoft support. If there is no such possibility, then you can execute the script manually when required.