Hi Joe,
Thank you for yor patience and providing the additional details about your environment (RDM 2026.1.22, multiple Hub Business instances and usage of Microsoft Entra ID for SSO). I’ve reproduced your workflow on my end using the same RDM version (2026.1.22) and tested both standard Devolutions accounts and SSO via Entra ID . In all cases I was able to add a Devolutions Hub Privileged Account entry without encountering the “Access Denied” error.
Below is a summary of my findings and further recommendations to help isolate the source of the problem.
SSO test results
RDM version: 2026.1.22 (same as yours).
Authentication: Tested with both a Devolutions account and with SSO through Microsoft Entra ID. In both scenarios RDM prompted for authentication once and allowed me to browse and select the PAM vault. The entry was created successfully.
Use my account settings: Tested with this option enabled and disabled. When disabled, I manually selected the correct Host and still did not encounter any vault selection issues.
Given that the issue does not occur on a comparable configuration, the cause is likely environmental (token caching, permissions, or a missing component such as the encryption service). The steps below may help resolve it.
Suggested next steps
Ensure the Devolutions Cloud Services (PAM/Encryption) service is up‑to‑date. The Devolutions Cloud Services installer deploys the Privileged access management module and the Encryption service which are required for SSO‑enabled PAM integration. An outdated or misconfigured service can lead to authentication failures. Download the latest installer, verify that the Encryption service component is enabled, and restart the service. You can run multiple instances for high availability.
Review the service logs in Windows Event Viewer. Devolutions Cloud Services write their operational logs to Event Viewer. Reviewing these logs can reveal communication problems, missing encryption keys, or token errors. Filter by time around your failed attempts and note any warnings or errors.
Re‑authenticate in RDM and refresh your SSO token. Sign out of the Hub data source in RDM,Delete the datasource, close the application, and recreate and sign back in using SSO. Expired or stale tokens can cause the secondary authentication prompt you described. If possible, perform the test using a separate SSO account to determine whether the issue is tied to a specific user.
Validate the host selection. When “Use my account settings” is disabled, double‑check that the Host field matches the machine on which the privileged account exists. Selecting the wrong host or a different Hub instance will result in an access error.
Please try the steps above, particularly updating/reinstalling the Devolutions Cloud Services and reviewing the event logs. If the problem persists after confirming the service is current and your token is refreshed, please share the specific errors from Event Viewer and we’ll work with our engineering team to investigate further.
Let me know the feedback.
Best regards,
