RPC for Entra ID and Active Directory

Remote Password Changing (RPC) is a core Secret Server feature that automates credential rotation for privileged accounts, ensuring passwords remain synchronized with organizational security policies. Secret Server supports RPC for both traditional Active Directory environments and modern Microsoft Entra ID (formerly Azure AD) cloud directories. While both of these implementations of RPC achieve the same goal—automated password management—they employ fundamentally different architectures, authentication mechanisms, and permission models. Understanding these differences is essential for organizations planning their privileged access management strategy, particularly those operating in hybrid environments.

Active Directory RPC uses native Windows protocols (LDAP and ADSI) to communicate directly with domain controllers for password operations. This approach requires a dedicated service account with delegated permissions configured through Active Directory Users and Computers and ADSI Edit, including rights to change passwords, reset passwords, and modify account properties. The service account permission model is object-based, allowing granular control over which organizational units or specific accounts the service account can manage. For on-premises Secret Server deployments, AD RPC can execute directly from the web server without requiring Distributed Engines.

Entra ID RPC, introduced in Secret Server 11.7.000015, takes a cloud-native approach using OAuth 2.0 authentication and the Microsoft Graph API over HTTPS. Instead of a service account, this implementation requires an Azure App Registration configured with appropriate API permissions and assigned either the User Administrator or Privileged Authentication Administrator role. Entra ID RPC supports managing MFA-protected accounts through the Resource Owner Password Credential (ROPC) grant flow without requiring PowerShell scripts. All Entra ID RPC operations require a Distributed Engine, even for on-premises Secret Server installations.

Organizations with hybrid identity environments must understand that these two RPC methods serve different account populations and cannot be used interchangeably. Entra ID RPC only supports cloud-native accounts created directly in Entra ID; accounts synchronized from on-premises Active Directory must continue using AD RPC even if they appear in the Azure portal. This means hybrid organizations typically need both configurations operating simultaneously—AD RPC for synchronized accounts and domain controllers, and Entra ID RPC for cloud-only identities. Proper planning ensures complete coverage of privileged accounts across the entire identity infrastructure.