Connecting Active Directory
MyPass Cloud integrates seamlessly with your on-premises Microsoft Active Directory (AD). This integration is facilitated by the MyPass Gateway Server, a secure component deployed within your infrastructure. The Gateway Server acts as a trusted intermediary, enabling MyPass Cloud to communicate effectively with your AD environment while ensuring the highest standards of security and compliance.
One of the key advantages of this integration is the empowerment of users through self-service capabilities, such as password resets and account unlocks, which can be initiated directly from the MyPass Self-Service portal. These actions are securely relayed through the Gateway Server to you on-prem AD, reducing the workload on IT support teams and improving user experience. Additionally, MyPass Cloud ensures that your organization maintains a single origin for passwords, strengthening security and simplifying administration across all connected systems.
The AD/Entra Connected system is a critical foundation for the MyPass Cloud solution, serving as the primary requirement for its intended operation. A primary account/identity is formulated and built upon your AD/Entra identity, ensuring seamless password synchronization and enabling scalable, multi-system integrations for future expansions.
Quick Implementation Pointers
- Verify Network and Infrastructure Pre-requisites
- Gather AD Configuration Parameters
- User Audience Targetting
- Set Up AD Service Account
Network and Infrastructure Pre-requisites
To ensure successful integration, the following network and infrastructure components must be in place:
- Active Directory Environment: A functional AD domain with accessible domain controllers, configured to support LDAP or LDAPS protocols.
- MyPass Gateway Server: A Windows Server (2016 or later) to host the MyPass Gateway application.
- Network Connectivity: Open firewall ports 389 (LDAP) and 445 (SMB), or just 636 (LDAPS) for communication between the MyPass Gateway server and AD domain controllers.
- SSL Certificate (for LDAPS): A valid SSL certificate installed on the domain controller for encrypted connections.
Required System Parameters
The following parameters are required to configure the integration with your AD domain:
| Requirement | Description |
|---|---|
| Domain Name | The fully qualified domain name (FQDN) of the domain, e.g., corpdomain.com. |
| Domain Alias | A label, typically the NetBIOS name, used in desktop login interfaces, e.g., corpdomain |
| LDAP Base DN | The distinguished name (DN) serving as the offset in the LDAP tree, e.g., OU=Employees,DC=corpdomain,DC=com or DC=corpdomain,DC=com. |
| Connection Type | SSL for native LDAP communication, or LDAPS for secure certificate backed communication. |
| Domain Service Account Name | The name of the account with privileges to read user attributes and reset passwords. |
| Domain Service Account Password | The password for the specified domain account. |
Additional Requirements
- A dedicated server or virtual machine within your infrastructure must be available to host the MyPass Gateway Server, meeting the hardware and software specifications provided in the MyPass Gateway Server installation guide.
- The Gateway Server must have network access to the AD domain controllers and be able to establish LDAP (port 389) or LDAPS (port 636) connections, as well as internet access to communicate with the MyPass Cloud backend over HTTPS (port 443).
- Appropriate firewall rules and security policies must be configured to allow communication between the Gateway Server, AD domain controllers, and MyPass Cloud.
- The domain account specified for integration must have sufficient privileges to read user attributes and reset passwords for users within the specified LDAP Base DN.
User Audience Targeting Configuration
MyPass Cloud integrates with Microsoft Active Directory (AD) to efficiently ingest and manage user identities, enabling tailored user experiences within the platform. Using the AD service account specified in the connector parameters, MyPass scans the Active Directory starting from the designated domain root or LDAP Base DN. This scan identifies user groups, which can then be selectively ingested into MyPass Cloud. These groups allow our MyPass teams to configure specific user experiences, such as customized access policies or self-service capabilities. Users within these selected groups consume a license and are assigned a DISCOVERED status in MyPass. When a user enrolls in MyPass or performs an action via the portal (e.g., password reset), their status updates to ENROLLED, indicating active platform usage. Users experiencing any form of account lockout are marked as LOCKED. These statuses can optionally be used to refine audience segmentation, enhancing administrative control over user management.
To proceed with user ingestion and audience configuration, the customer must provide the following:
- Group Selection: A list of AD security groups to be targeted for licensing.
- License Allocation: Confirmation of the amount of users expected within these selected groups.
- Access Policy Requirements: Details on desired user experiences or access policies to be applied to the targeted groups.
AD Service Account
The AD service account is a critical component for MyPass Cloud's integration with Microsoft Active Directory (AD). This dedicated account, specified during the configuration process, must have sufficient privileges to read user attributes, reset passwords, and scan group memberships within the designated LDAP Base DN. It enables MyPass Cloud to perform essential operations, such as user ingestion, password management, and group-based audience configuration, ensuring seamless and secure interaction with your AD environment.
Required Permissions
| Permission Type | Access Level | Purpose |
|---|---|---|
| Password Reset | Execute | Allow password changes |
| Account Unlock | Write | Manage lockouts |
| User Attributes | Read | Query account info |
Granting Permissions
To grant the necessary permissions to the service account, follow these steps in Active Directory Users and Computers (ADUC):
- Open Active Directory Users and Computers.
- Navigate to the target Organizational Unit (OU).
- Right-click the OU and select Delegate Control to assign password reset permissions.
- Configure attribute-level permissions as required for user management tasks.
Granting Read and Write Permissions for pwdLastSet
- In Active Directory Users and Computers, locate the OU for delegation.
- Right-click the OU and select Properties.
- If the Security tab is visible, select it. If not, enable Advanced Features from the View menu in ADUC.
- Under the Security tab, click Advanced to view and apply special permissions, including read and write access to the
pwdLastSetattribute.
These steps ensure the service account has the appropriate access to perform password resets, account unlocks, and other essential operations required
Service Account Functions
Reset Password Operation
The Password Reset function is an integral component of the Password Manager's Reset Password end-user transaction. This function executes the password reset process, provided the user has successfully completed the configured alternative authentication methods and possesses the "Change Password" privilege. By default, the Password Reset function operates in two steps:
- Initial Password Reset: The system generates a random temporary password to reset the user's existing password.
- Password Change: The system then updates the password to the user-specified value.
This two-step process ensures compliance with password history policies by verifying the new password against previous entries.
Required Permissions
The Reset Password function mandates that the Domain Account possesses read permissions for the attributes listed in the Discover Account table. Additionally, the Domain Account must be granted permissions for the attributes specified in the table below.
Attribute Access Description Stored lockouttime Write Used to determine whether a user has been locked due to failed attempts. Yes pwdLastSet Read-Write When the user last set the password. Yes userAccountControl Read-Write Used to determine whether a user has been disabled. No msDS-User-Account-Control-Computed Read Used to find out the LOCKOUT setting. No ntSecurityDescriptor Read No logonHours Read Used to get user’s valid logon hours. Yes Besides the listed attribute rights the function also requires the privileges listed in the following table granted to the Domain Account.
Permission Access Description ResetPassword Execute Method used to set the password. Besides the listed attribute rights and privileges the Reset Password function also requires the privileges listed in the following table to be granted to the Domain Account on the Domain Policy object.
Attribute Access Description Stored maxPwdAge Read No No minPwdAge Read No No minPwdLength Read No No lockoutDuration Read No No lockOutObservationWindow Read No No lockoutThreshold Read No No pwdProperties Read No No pwdHistoryLength Read No No objectClass Read No No
Change Password Operation
The password change operation is performed as part of the Password Change end-user transaction in MyPass Cloud. This is done to perform the actual change of the password (only if the user has passed the configured alternative authentication methods and only if the user holds the “Change Password” privilege).
The Password Change function requires read permissions granted to the Domain Account on several attributes, which are all listed in the table below. No other privileges are >required.
Attribute Access Description Stored pwdLastSet Read When the user last set the password. Yes userAccountControl Read-Write Used to determine whether a user has been disabled. Yes msDS-User-Account-Control-Computed Read Used to find out the LOCKOUT setting. No ntSecurityDescriptor Read No logonHours Read Used to get user’s valid logon hours Yes Besides the listed attribute rights and privileges the Reset Password function also requires the privileges listed in the following table to be granted to the Domain Account on the Domain Policy object.
Attribute Access Description Stored maxPwdAge Read No No minPwdAge Read No No minPwdLength Read No No lockoutDuration Read No No lockOutObservationWindow Read No No lockoutThreshold Read No No pwdProperties Read No No pwdHistoryLength Read No No objectClass Read No No
Unlock Account Operation
The account unlock operation is performed as part of the Unlock Account end-user transaction MyPass Cloud. This is to perform the actual unlock of the account (only if the user has passed the configured alternative authentication method).
The Account Unlock function requires read permissions for the Domain Account to several attributes, which are all listed in the table below.
Attribute Access Description Stored Lockouttime Write Used to determine whether a user has been locked because of too many failed login attempts. Yes pwdLastSet Read When the user last set the password. Yes
AD Group Discovery Operation
MyPass Cloud uses a discovery operation to track users placed in groups, removed from groups, and changes in information on user accounts. This information is used to trigger notification processes (for example, password reset reminders) and to allocate or deallocate MyPass Cloud licensing. For this to function correctly, the following permissions are required in Active Directory.
Attribute Access Description Stored DistinguishedName Read The unique name in LDAP format for the user. Yes sAMAccountName Read The short unique name for the user (the old style login name). Yes objectClass Read The AD object. Yes cn Read Common Name for the user. Yes sn Read Sur Name also editable in Active Directory Users and Computers. Yes givenName Read First Name also editable in Active Directory Users and Computers. Yes displayName Read Full Name also editable in Active Directory Users and Computers. Yes description Read Description also editable in Active Directory Users and Computers. Yes department Read Department also editable in Active Directory Users and Computers. Yes title Read Title also editable in Active Directory Users and Computers. Yes manager Read Manager (direct manager of the user) Yes phone Read Telephone number Yes mobile Read Mobile phone number Yes Read E-mail address Yes lockouttime Read Used to determine whether a user has been locked due to too many failed login attempts No userAccountControl Read Used to determine whether a user account is disabled/enabled No memberOf Read The groups a user is a member of No primarygroupid Read Used to determine the primary group of a user No userPrincipalName Read The user principal name (UPN) of the user Yes pwdLastSet Read Password last set timestamp (used to determine password age/expiration) No userCertificate Read User certificate (primarily used when Email Encryption is enabled) No
Licensing – Simple Summary
| What you pay for | How it’s calculated |
|---|---|
| Active Directory | Base license fee per managed user |
| All additional systems (SQL Server, Oracle, SAP, IBM i, SSH, etc.) | Additional fee per managed user × per system |
Real-world example
If you manage 2 000 users in total:
- Active Directory → 2 000 × base AD user license (This system is required for every MyPass deployment)
- Any extra systems (e.g., 8 SQL instances + 5 SAP Instances) → charged separately on top
Active Directory is the foundation - the base per-user license is mandatory and covers all core MyPass functionality including AD password rotation, self-service, and emergency access.