Password Rotation

Password Rotation matches and updates all the passwords including user, any kind of administrator and global administrator passwords in any or both of the following sources:

  • On-premise Active Directory
  • Microsoft Entra ID
  • Microsoft 365

Password Rotation organizes these records based on criteria such as a username and domain and rotate passwords when a match is found. After rotation, the newly generated passwords will be updated in the Microsoft Entra ID, on-premise Active Directory, Microsoft 365 and IT Glue.

Prerequisites

For On-premise Active Directory Password Rotation

  • An active Network Glue setup.
    Note: Active Directory settings should be activated. For more information, see Setting up Network Glue for an IT Glue organization.
  • Active Directory users sync needs to be enabled.
    Network Glue Settings -AD toggle.png
  • Administrator access to IT Glue. The feature is available for custom roles with administrator rights.
    Warning: The AD password must be updated to ensure sync can continue with Network Glue.
    Admin passwords used to set up the Active Directory connection with Network Glue can be rotated. To rotate this password, users need to match the network to a corresponding password in the Network Settings/account/networks. Until the user matches the corresponding admin password in the settings, they will get the "Not Permitted" status when trying to rotate it.

For Microsoft Entra ID Password Rotation

  • An active Network Glue setup.
  • An active account in entra.microsoft.com to be able to generate Microsoft credentials in their Active Directory account for further integration with IT Glue.

Sync data settings in Microsoft integration. For more information see, Microsoft Integration.
Sync_with_Microsoft.png

  • If you have either new or an existing Microsoft integration, make sure that you have added required additional API Permissions when setting up Microsoft Integration on entra.microsoft.com.

  • Ensure that both settings are activated in the "Microsoft Entra ID Sync" of your Microsoft Integration in IT Glue:
    • Enhance Contacts with Microsoft Entra ID
    • Enable Password Rotation for Microsoft Entra ID.
      Sync_Settings.png

For Microsoft Entra ID And On-premise Active Directory Password Rotation

If you have both on-premises Active Directory and Microsoft Entra ID and have a requirement to rotate passwords for both, you will have the settings enabled for on-premise Active Directory, and for Microsoft Entra ID.
Moreover, if you manage and store users both in Microsoft Entra ID and on-premise Active Directory and want to rotate passwords for them, please note that for users who have the same usernames it is required to have Entra Connect configured on your side in your Microsoft account.

Procedure

    1. Log in to your IT Glue account and navigate to Account > Password Rotation and enable the following option
      • Enable the option Enable Password Rotation.
        Enable_Password_Rotation.png
        Note: The Enable the Password Rotation toggle activates both on-premises Active Directory and Microsoft Entra ID password rotation.
    2. You can configure the settings using any of the following options:
        • Global Settings – To create global settings for password rotation. 
        • Create Organization Rule - To create separate password rotation rules for different organizations and override global settings. The created organization rule will be applied to all the individual passwords inside the specific organization.
          1. If you have selected Global Settings option, configure the following:
            • The minimum character length of a password.
            • The character requirements for a password.
            • At least one uppercase character
            • At least one lowercase character
            • At least one number
            • At least one non-alphanumeric character
              Warning: Set a password policy that is equivalent to or exceeds the most restrictive policy setting for all your Active Directory environments connected to Network Glue.
              Note: Enable the option Enable Scheduled Rotation to select the frequency at which to rotate your matched password. For more information, see Scheduling Password Rotation.
          2. If you have selected Create Organization Rule option, configure the following: 
            • Select the organization to which the rules should be applied.
            • The minimum character length of a password.
            • The character requirements for a password.
            • At least one uppercase character
            • At least one lowercase character
            • At least one number
            • At least one non-alphanumeric character

              Note: Enable the option Enable Scheduled Rotation to select the frequency at which to rotate your matched password. For more information, see Scheduling Password Rotation
              The Organization rules that are created are listed in the Organization Rules tab. To edit or delete an organization rule, click on the respective icons under the Actions column.
              Note: If you delete an organization rule, the Global Settings rule are applied to the passwords belonging to that organization.
              Organization_Rules.png
              Note: To receive email notification when passwords are rotated for specific organization in terms of the set organization rule, navigate to My Settings from the drop-down menu and select the option Active Directory Password Rotation by Organization Rule under the Email Notification section. You will stop receiving notification if you disable this option.
    3. Click Match Passwords to filter and approve the password matches.
      Match_Passwords.png
      • Matching passwords on this tab will not change password in Active Directory.
      • Matching is required to ensure that the password rotation is correctly applied between your users in Active Directory and IT Glue.
      • After the rotation is performed, the newly created password will match between IT Glue and Active Directory.
      • If you change passwords manually in IT Glue, the change will not return to Active Directory directly unless you click rotate and the rotation is successful.
      • Confirming matched passwords also serves as your approval for us to rotate a password
    4. IT Glue will present your password from Active Directory and suggest matches for you. Under Unmatched tab in the Match Passwords window, select the preset filter Suggested to sort the list by suggested matches.
      Matched_Passwords.png
      • Suggested matches are based on exact username.
      • A green checkmark will appear under Actions, when an individual match is found.
      • A grey checkmark will appear when no match or multiple matches are found. You must then search and select a password.
      • The X option will move the password to the Ignored tab.
      • For bulk matching, select the checkbox for the password records you want to match and click Approve or Ignore. The approved records will be displayed in the Matched tab.
        Note: For an unwanted password match, click Ignore. These passwords will be displayed in the Ignored tab.
        Matched_Tab.png
        On the Matched page, you will see user passwords that are approved for rotation.
        If a password was approved by mistake, then select X or Ignore. The password will be moved back to the unmatched or Ignored tab.
        Matched_Tab_Actions.png
        You can edit the suggested Password Name value if the suggested match is incorrect.
        1. Click on the value and choose the correct name from the drop-down as shown in the screenshot below.
          Matched_Password_ValueEdit.png
        2. Click Done to confirm your choice.
    5. The Ignored tab will contain Passwords not approved for rotation, they won't count as unmatched items in subsequent syncs.
      To be able to rotate them again, click Match button for a single or multiple user passwords.
      Ignored_Tab.png
    6. Click Done. You can view the password-matched status on the Password Rotation page. To rotate a password, click Rotate under the Actions column.
      Rotate_Password.png
      To rotate passwords in bulk, select multiple password checkboxes and click Rotate.
      Rotate_Password_Bulk.png
      You can also view the auto-rotation status by navigating to the organization to which the password belongs. To rotate a password from the Passwords page, click on the Rotate button.

Note: When a password is rotated by a user, the Password Revisions on the right sidebar will display a new version. By restoring to a previous version, the change will not be automatically updated in the Active Directory.

Important: Currently, users will not be able to rotate passwords used in Network Glue > Active Directory. When trying to rotate this password, a user will see Not Permitted - Admin error.

Set rules in Cooper Bots to rotate AD password in IT Glue

Cooper Bots is a Business Process Automation (BPA) Engine that combines the power of workflow automation with an AI assistant to execute work on our customers’ behalf, across the IT Complete platform. With Cooper Bots, you can set up a rule, that will automatically rotate AD password in IT Glue whenever you get a corresponding ticket in Autotask. 

When the scenario is active, 

  1. Cooper Bot will automatically identify Autotask tickets that request a password reset.
  2. This password will be found and rotated in Network Glue.
  3. When completed, Cooper Bot will update the ticket with a link to the password that was reset.

Statuses and Error Messages

The following is the description possible statuses displayed after initiating a password rotation:

  • API Error - an error happened prior the password rotation
  • Admin Not Permitted - when a required admin role is not added for admin password rotation.
  • Multi Tenant not Permitted - the required role is not added for password rotation.
  • Not Permitted - vaulted passwords are not permitted for password rotation.
  • Successful - the passwords have been successfully rotated.
  • In progress - the password rotation is in progress.
  • Failed - the password rotation has failed.
    Note: If a user set up a minimum password age in the on-premise Active Directory and / or Microsoft Entra ID, and rotates the password in IT Glue, the next successful attempt to rotate this same password will accrue only after the completion of the period that is set up as the minimum password age. 

The server cannot handle errors related to LDAP over SSL (LDAPS) connectivity issues. The following are the tips given below to troubleshoot these issues.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section