EntraID PAM account showing json string for password
Hello,
When viewing the password for an EntraID PAM credential stored in Hub, the password is showing as an encoded json string. Performing a heartbeat synchronization returns an incorrect successful result.
Attempting to utilize or view the password in RDM results in the following error:
If I reset the password using WebUI, the password is visible again for a few days before it turns back into a json string. There are no log entries shown in Hub that indicate the password was edited between reset and corruption.
If I manually input an incorrect password, and perform a synchronization it still shows as successful even though the password doesn't match that of the credential in the provider source.
Seems like Hub is corrupting the passwords periodically and not performing a legitimate heartbeat validation.
This may be related to another post for domain user type PAM accounts becoming locked/corrupted Unable to check in or unlock PAM account
Please let me know if you would like any additional info.
Thanks
Joe
4352f3e4-ce5a-41ac-aa05-9d4f19e23192.png
63ed9adf-0ad9-4c38-8e3d-43a2bb9fd5fb.png
e64d130c-3bf5-4106-ad31-8854a2dfacbb.png
All Comments (9)
Hi @jm2,
We'll try to reproduce internally and get back to you as soon as possible. In the mean time could you provide the version of the PAM service installed and confirm if it is up to date?
Thank you,
Luc Fauvel
Thanks Luc. PAM service installed is 2025.3.1
9a48fa8f-a944-4640-869b-68559f3d5e6a.png
Hi @jm2,
We’ve managed to reproduce the issue internally and will attempting a fix. We’ll let you know when it’s available.
Cheers,
Luc Fauvel
Thats great, thanks for the update Luc
Hello,
Thank you for being so patient!
I'm pleased to inform you that a new version of Hub Business has been released, featuring the fix for the issue.
Please let us know if this works or if you encounter any issues.
Best regards,
Maxim Robert
Hi Maxim,
Thanks for the update. Will monitor for password corruption over the following days and reply if it reoccurs.
However, it doesn't appear the issue with EntraID incorrect password validation/heartbeat is resolved. It's still showing success even when an invalid password has been entered manually for an Entra PAM account.
Joe
Hi Joe,
The false positive is unfortunately a current limitation as the Microsoft Graph API doesn’t allow us to validate a password, only change it.
The heartbeat check currently only checks if the account exists or not. This limitation is the same in Devolutions Server and Hub.
Best regards,
Luc Fauvel
Hi Luc,
Thanks for clarifying that. Seems like a pretty important limitation.
Perhaps this should be articulated clearer in the guides for integrating PAM with EntraID, and/or the EntraID type provider be shown in the 'password reset only' category when adding a new PAM credential.
I imagine many organizations would want Devolutions to identify if an Entra credential was changed outside of the PAM workflow, so until MS graph supports some kind of password validation API, maybe an alternate approach could be implemented to attempt authentication with stored username and password to check if it succeeds, or at least gets to a likely secondary MFA prompt? Its probably possible to achieve this with a custom Any Identity provider, but would be better if available in the native provider.
Joe
Choose a Microsoft Graph authentication provider - Microsoft Graph | Microsoft Learn
9d72f177-c22e-4204-b657-cbbf635fba4a.png
Hi Joe,
We'll look into the different possibilities and get back to you on this. Thank you again for your feedback.
Cheers,
Luc Fauvel