Devolutions ForumDevolutions Forum

How to link a user credential of an Entra ID PAM vault as a session login?

How to link a user credential of an Entra ID PAM vault as a session login?

avatar
waltergschwendtner

Hi
I created a new Entra ID PAM vault with password rotation for accounts in Entra ID. Connection test and password rotation works as expected. In RDM I have an existing "Default" vault, where we configured all connections to our systems.
I'm struggling using the newly created Entra ID PAM vault as linked vault in existing system connections, e.g RDP to a Windows Server or portal website of Entra ID.

In "Default" vault I created already a Devolutions Server cross vault entry. In this Entry I can see my Entra ID PAM vault. If I try to use this credential to link it to a session, I cannot see/choose any Entra ID credentials from Entra ID PAM vault.

Can you help me please?

Br
Walter

All Comments (1)

avatar
Stephan Haupt

Hi Walter,

Glad to hear the Entra ID PAM vault and password rotation are already working well.

The behaviour you are seeing is expected: a regular cross-vault credential link only surfaces standard Credential entries, so PAM accounts will never appear in that picker — which is why you can see the vault but none of the Entra ID accounts inside it. PAM accounts are referenced a bit differently. You have two options depending on how you want it to work.

The simplest approach is to set the credentials directly on the session. Open your RDP or website entry, go to the Credentials section, and instead of a linked credential choose the type PRIVILEGED ACCOUNT. That lets you pick the account straight from your Entra ID PAM vault, and the session will trigger the checkout on launch. You can also set this once on a parent folder and use INHERITED on the sessions below it so they all share the same PAM account. Both types are described here: https://docs.devolutions.net/rdm/ribbon-menu-bar/edit/entry-credentials-options/

If you would rather keep referencing it from your Default vault (the cross-vault approach you started with), the entry type matters. Create a DEVOLUTIONS SERVER PRIVILEGED ACCOUNT entry in the Default vault, enter your Devolutions Server URL, and select the desired account from the PAM vault. Then, on the session, set the credentials to LINKED (VAULT) and point it at that entry. The generic cross-vault credential entry will not expose PAM accounts, but this dedicated entry type carries the PAM reference correctly.

One last variant, in case you want each user to choose their own account at connection time rather than fixing one account: on the Devolutions Server privileged account entry, enable "Use My account settings" together with "Always prompt with list." Each user is then shown their personal PAM list on launch. This and the user-vault setup are covered here: https://docs.devolutions.net/rdm/kb/how-to-articles/set-up-user-vault-credentials/

Sorry for the long explanation, I wanted to make sure I cover all eventualities :D
I hope this clears this up for you, please don't hesitate to follow up with any additional questions

Best regards,
Stephan

Closed