Products

Inside the AnyIdentity workflow: Password propagation

Anyidentidy workflow devolutions propagation blog

AnyIdentity’s password propagation feature ensures security and operational consistency by automatically synchronizing password changes across all connected systems, preventing disruptions and maintaining compliance through seamless automation.

Adam Bertram

Adam Bertram is a 20+ year veteran of IT and an experienced online business professional. He’s a successful blogger, consultant, 6x Microsoft MVP, trainer, published author and freelance writer for dozens of publications. Catch up with Adam at adamtheautomator.com for how-to tech tutorials, connect on LinkedIn, or follow him on X at @adbertram.

View more posts

In privileged access management, changing a password is only half the challenge. The other half is ensuring that this change ripples through your entire ecosystem seamlessly. AnyIdentity's password propagation feature handles this critical task to help you ensure security and consistency across your entire network.

The final piece of the puzzle

AnyIdentity's workflow operates in an efficient sequence of crucial actions:

  1. Account discovery: Unearths privileged accounts.
  2. Heartbeat: Monitors password integrity.
  3. Password rotation: Updates passwords when needed.
  4. Password propagation: Synchronizes the new password across all connected systems.

Password propagation is the critical final step, ensuring that a password change does not result in discrepancies across your infrastructure.

What does password propagation do?

At its core, password propagation has one mission: to update the password everywhere it is used. But do not let this simplicity fool you — it's a complex operation that involves:

  1. Connecting to systems;
  2. Updating the password on each connected system;
  3. Verifying the update was successful;
  4. Reporting any failures for manual intervention.

Like all AnyIdentity features, password propagation scripts are written in PowerShell, giving you the flexibility to tailor them to your specific environment.

Password propagation in action

Let's walk through a real-world scenario to see how password propagation works.

Imagine Devolutions PAM has just rotated an important password for an Active Directory account. If that account were managed via Devolutions PAM and a custom password propagation were configured for the Active Directory identity provider, the password propagation action would go something like this:

  1. Trigger the password propagation action automatically upon password change.
  2. Update the service account password on applicable services.
  3. Restart the Windows service to apply the new password.
  4. Verify that the service started successfully with the new credentials.

Although this is a simple example, since the password propagation feature is a PowerShell script, any action could be accomplished.

Here's a simplified version of what a propagation script for this scenario might look like:

[CmdletBinding()]
Param (
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string]$ServiceName = "BackupExecAgentAccelerator",
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string[]]$ServerName = @("BACKUP01", "BACKUP02", "BACKUP03"),
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [securestring]$NewPassword
)
foreach ($name in $ServerName) {
    $service = Get-CimInstance -Class Win32_Service -Filter "Name='$ServiceName'" -ComputerName $name
	$plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword))
	$service.Change($null, $null, $null, $null, $null, $null, $null, $plainTextPassword)
	$service.StopService()
	Start-Sleep -Seconds 5
	$service.StartService()
}
$true


This script demonstrates how AnyIdentity can update a service password across multiple servers, restart the service, and verify the change was successful. It's a prime example of how password propagation can automate a process that would be tedious and error-prone if done manually.

Pro tip: Always test your propagation scripts in a non-production environment first. The last thing you want is to accidentally lock yourself out of critical systems!


Propagation AnyIdentity devolutions blog

The power of proper propagation

Effective password propagation is more than just a convenience, nor a mere password change: it’s a critical component of your security strategy. Password propagation:

  1. Prevents service disruptions: No more frantic calls about services failing after a password change.
  2. Enhances security: Ensures that old passwords are phased out across all systems.
  3. Saves time: Automates a process that would be tedious and error-prone if done manually.
  4. Improves compliance: Automatically enforces password policies across your infrastructure without manual intervention, ensuring continuous compliance through automation rather than periodic checks.

Password propagation: Tying it all together

Password propagation might not be the flashiest feature in AnyIdentity, but it's the glue that holds your privileged access management strategy together. It turns what could be a logistical nightmare into a smooth, automated process. As you fine-tune your AnyIdentity setup, pay special attention to your propagation configurations.

When done right, a well-propagated password change often goes unnoticed, but everybody benefits from it!

Related Posts

Read more Products posts