Secret Server
→ Delinea Platform
→ Delinea Platform
A structured, end-to-end migration guide for security teams moving from on-premises Secret Server to the cloud-native Delinea Platform. Follow each phase in order to ensure a complete, auditable, zero-loss migration.
5
Migration Phases
47
Checklist Items
9
Training Modules
Migration Roadmap
PHASE 1 · WEEKS 1–2
Pre-Migration Assessment
Inventory all secrets, audit custom templates, and map every integration. Build a complete picture of what you have before moving anything.
PHASE 2 · WEEKS 3–4
Export & Staging
Export secrets and metadata using the Secret Server CLI/API. Validate export integrity before proceeding.
PHASE 3 · WEEK 5
Transform & Import
Map Secret Server templates to Delinea Platform equivalents. Transform JSON payloads, then import in batches with validation at each step.
PHASE 4 · WEEK 6
Post-Migration Validation
Run full validation checklist. Confirm all secrets accessible, permissions correct, integrations healthy, and audit logs intact.
PHASE 5 · WEEKS 6–8
Cutover & Communication
Decommission legacy Secret Server, execute user communication plan, and complete on-prem integration handoffs.
Before you begin: Ensure you have Delinea Platform tenant credentials, a full backup of Secret Server (including encryption key), and an approved change management ticket for each migration window. Run the full process in a staging environment first.
Phase 1 · Assessment
Secret Inventory
Before migrating a single secret, you need a complete, auditable inventory of everything in Secret Server. This is your source of truth for the entire migration.
Step 1: Generate a Full Export Report
Use the Secret Server REST API or built-in reporting to enumerate all secrets across all folders. Never rely on manual counts.
■ Export All Secrets (API)
Run against your on-prem Secret Server instance
# Authenticate and retrieve token
$ curl -X POST https://YOUR-SS-HOST/oauth2/token \
-d "grant_type=password&username=admin&password=PASS&scope=api"
# Get full secret inventory count
$ curl -H "Authorization: Bearer TOKEN" \
https://YOUR-SS-HOST/api/v1/secrets?take=1 | jq '.total'
# Export all secret stubs (id, name, template, folder, active)
$ for page in $(seq 0 $PAGES); do
curl -H "Authorization: Bearer TOKEN" \
"https://YOUR-SS-HOST/api/v1/secrets?skip=$((page*100))&take=100" \
>> secrets_inventory.json
done
Step 2: Categorize by Secret Type
Group secrets into categories. This drives template mapping in the next phase.
| Category | Examples | Migration Risk | Special Handling |
|---|---|---|---|
| Standard Credentials | Windows, Linux, Active Directory accounts | LOW | Direct template map available |
| Database Accounts | SQL, Oracle, MySQL, PostgreSQL | LOW | Verify RPC connector compatibility |
| API Keys / Tokens | AWS, Azure, Salesforce API keys | MEDIUM | Check expiry; may need rotation pre-migration |
| SSH Keys | RSA, ED25519 private keys | MEDIUM | Preserve passphrase handling |
| Custom Templates | Org-specific fields, scripts | HIGH | Manual template recreation required |
| On-Prem Only Secrets | Vault credentials, network device | HIGH | See Module 09 for special treatment |
Step 3: Inventory Assessment Checklist
-
✓Export complete secret count from Secret Server reportsReports → All Secrets report, or API /v1/secrets?take=1 for total count
-
✓Document folder/vault hierarchy and naming conventionsExport folder tree; note any non-standard structures that may not map 1:1
-
✓Identify and catalog all inactive/disabled secretsDecision needed: migrate disabled secrets or archive/delete before migration
-
✓Document all secret permissions and group assignmentsPermissions must be re-created on Delinea Platform; export ACLs per secret
-
✓Identify secrets with active checkout policiesCheckout policies must be rebuilt manually on the destination tenant
-
✓Flag secrets with expiration dates or password rotation schedulesTime-sensitive secrets need rotation scheduling rebuilt post-migration
-
✓Document secret dependencies (secrets that reference other secrets)Linked secrets must be imported in correct dependency order
Phase 1 · Assessment
Custom Template Audit
Secret Server templates define the fields each secret contains. Standard templates have direct Delinea Platform equivalents, but custom templates require manual recreation. This audit determines scope.
Critical Step: Custom templates are the most common cause of migration failures. Every custom template must be inventoried, mapped, and recreated on Delinea Platform before any secrets that use it can be imported.
Identify All Templates
■ List All Secret Templates via API
# Get all secret templates
$ curl -H "Authorization: Bearer TOKEN" \
"https://YOUR-SS-HOST/api/v1/secret-templates" \
| jq '.records[] | {id, name, fields: [.fields[].displayName]}'
# Get count of secrets per template
$ curl -H "Authorization: Bearer TOKEN" \
"https://YOUR-SS-HOST/api/v1/reports" -X POST \
-d '{"reportName": "Secrets By Template"}' | jq '.rows'
Template Classification Matrix
| SS Template | Delinea Equivalent | Field Delta | Action Required |
|---|---|---|---|
| Windows Account | Windows Account | None | AUTO MAP |
| Active Directory Account | Active Directory Account | None | AUTO MAP |
| Unix Account (SSH) | Unix Account (SSH) | None | AUTO MAP |
| SQL Server Account | SQL Server Account | None | AUTO MAP |
| Web Password | Web Password | None | AUTO MAP |
| Oracle Account | Oracle Account | Minor field rename | VERIFY |
| Amazon IAM Key | AWS IAM | Field structure differs | TRANSFORM |
| Custom (org-specific) | — | All fields custom | CREATE NEW |
Custom Template Recreation Steps
1
Export template definition
For each custom template, document: template name, all field names, field types (text/password/URL/file/notes), which fields are required, and any password generator rules attached.
2
Create matching template on Delinea Platform
Navigate to Admin → Secret Templates → New Template. Recreate all fields using the same names and types. Note the new template ID for use in the transformation scripts.
3
Map template IDs in transform config
Update the migration transform config with the SS template ID → Delinea Platform template ID mapping. This ensures secret payloads target the correct template during import.
4
Validate with a single test secret
Import one secret using the custom template before bulk importing. Verify all fields populate correctly, password fields are masked, and the secret is accessible to test users.
Template Audit Output: Produce a Template Mapping Sheet (spreadsheet) with columns: SS Template ID, SS Template Name, Delinea Template ID, Delinea Template Name, Status, and Notes. This becomes a required artifact for the migration sign-off.
Template Audit Checklist
- ✓Export complete list of all templates with field definitionsUse API or Admin → Secret Templates export
- ✓Classify each template: AUTO MAP / TRANSFORM / CREATE NEWPopulate Template Mapping Sheet
- ✓Create all custom templates on Delinea Platform tenantInclude all fields, types, and required settings
- ✓Record old → new template ID mapping in transform configRequired for the Transform phase script
- ✓Validate each new template with at least one test importConfirm all fields, masking, and access controls work correctly
- ✓Document password generators / complexity rules for re-creationPassword policies need to be recreated separately in Delinea Platform
Phase 1 · Assessment
Integration Mapping
Every integration connected to Secret Server needs to be inventoried, assessed for cloud compatibility, and assigned a migration strategy. This is often the most complex part of migration planning.
Integration Discovery
Document every system that calls Secret Server APIs, uses the SS SDK, relies on the Discovery service, or has RPC (Remote Password Changing) configured.
■ Integration Inventory Worksheet
Complete one row per integration
| Integration Type | Cloud Compatible? | Strategy | Module |
|---|---|---|---|
| SIEM (Splunk, QRadar) | YES | Update API endpoint in SIEM connector | Standard |
| CI/CD (Jenkins, Azure DevOps) | YES | Replace SS plugin with Delinea DevOps plugin | Standard |
| ITSM (ServiceNow, Jira) | YES | Update webhook URLs and OAuth credentials | Standard |
| Ansible / Terraform | YES | Swap Thycotic provider for Delinea provider | Standard |
| Active Directory / LDAP | PARTIAL | Delinea Platform Cloud requires LDAP connector or Delinea connector agent | Special |
| On-Prem RPC / Password Changing | REQUIRES AGENT | Deploy Delinea Connector for RPC bridging | Module 09 |
| Network Device Discovery | REQUIRES AGENT | Deploy on-prem Discovery Engine agent | Module 09 |
| Custom SS API Scripts | REWORK | Migrate to Delinea Platform REST API (path changes) | Special |
✓ Standard Migration Path
Cloud-ready integrations
- Update API base URL to Delinea Platform tenant
- Generate new API service account credentials
- Update OAuth app registrations if applicable
- Test connectivity before cutover date
⚠ Special Handling Required
On-premises dependent integrations
- Deploy Delinea Connector agent on-prem
- Configure cloud-to-prem secure tunnel
- Some features may remain in hybrid mode
- See Module 09 for full treatment
Integration Mapping Checklist
- ✓Document all systems consuming Secret Server APIsReview access logs, IIS logs, and SDK call inventory
- ✓Classify each integration: standard / partial / requires agentPopulate integration inventory worksheet with strategy per integration
- ✓Identify all RPC-configured secrets and target systemsRPC secrets with on-prem targets need Delinea Connector deployment
- ✓Inventory all custom scripts / PowerShell hooks attached to secretsScripts must be re-imported and re-associated post-migration
- ✓Confirm Delinea Connector sizing for on-prem agent deploymentsAssess CPU/memory requirements based on secret count and RPC frequency
Phase 2 · Migration Runbook
Export Phase
This phase produces the encrypted export package from Secret Server. Work in a maintenance window where possible. All exports must be integrity-verified before proceeding.
Export Using Secret Server CLI
■ Full Export Command
# Install Secret Server CLI if not present
$ Install-Module -Name SecretServer.Tools -Force
# Connect to on-prem instance
$ Connect-SecretServer -SecretServerUrl "https://YOUR-SS-HOST/SecretServer" \
-Username "migration-svc" -Password (Read-Host -AsSecureString)
# Export ALL secrets to encrypted JSON
$ Export-SecretServerSecrets -IncludeAll \
-ExportPath "C:\migration\ss_export_$(Get-Date -f yyyyMMdd).json" \
-EncryptionKey (Read-Host "Export encryption key" -AsSecureString) \
-IncludeFolders -IncludePermissions -IncludeMetadata
# Generate SHA-256 checksum for integrity verification
$ Get-FileHash "C:\migration\ss_export_*.json" -Algorithm SHA256 | Export-Csv checksum.csv
Security Note: The export file contains sensitive credential data in encrypted form. Store the export encryption key separately from the export file. Use a key vault or an out-of-band secure channel to transmit the key to the import engineer.
Verify Export Integrity
# Verify checksum matches on destination system
$ $expected = Import-Csv checksum.csv | Select-Object -ExpandProperty Hash
$ $actual = (Get-FileHash "ss_export_*.json" -Algorithm SHA256).Hash
$ if ($expected -eq $actual) { Write-Host "✓ INTEGRITY OK" -ForegroundColor Green }
else { Write-Error "✗ CHECKSUM MISMATCH - DO NOT PROCEED" }
1
Verify secret count matches
Count secrets in exported JSON. Must match the inventory count from Phase 1. Any discrepancy must be investigated before proceeding.
2
Spot-check 10–20 random secrets
Manually decrypt and inspect a random sample. Verify field values, template assignments, and folder paths are present and correct.
3
Verify sensitive field encryption
Confirm that password fields are not stored in plaintext in the export file. They should appear as encrypted blobs or masked values only.
Prepare Migration Package
Assemble all artifacts needed for the Import phase into a single migration package.
■ Migration Package Contents
ss_export_YYYYMMDD.json— Encrypted secrets exportchecksum.csv— SHA-256 integrity hashestemplate_mapping.csv— SS template ID → Delinea template IDfolder_mapping.csv— SS folder paths → Delinea vault pathspermissions_export.json— ACL data per secret/folderintegration_inventory.xlsx— All integration records with statustransform_config.json— Field transformation rules
Package Checklist: All seven files must be present before proceeding to the Transform phase. Get a second engineer to sign off on the package inventory.
Export Phase Checklist
- ✓Create dedicated migration service account in Secret ServerNeeds Admin role with export rights; disable after migration
- ✓Run export in maintenance window; notify users of read-only periodRecommended: 2AM–4AM Saturday window
- ✓Verify exported secret count matches Phase 1 inventory totalZero tolerance for count discrepancy
- ✓SHA-256 checksum generated and stored separately from exportStore checksum in change ticket; don't bundle with export file
- ✓Encryption key transmitted via secure out-of-band channelNever send key and ciphertext via same channel (no email)
- ✓Migration package assembled and second-engineer sign-off obtainedSee package contents list above
Phase 2 · Migration Runbook
Transform Phase
The transform phase converts Secret Server's data format into the Delinea Platform import format. This includes template remapping, folder path conversion, and field-level transformations.
Transform Configuration
■ transform_config.json — Template Mapping
{
"templateMappings": [
{
"ssTemplateId": 6001,
"ssTemplateName": "Custom App Credential",
"delineaTemplateId": "tpl_8ab2c9de",
"fieldMappings": [
{ "ssField": "Application Name", "delineaField": "app_name" },
{ "ssField": "Service Account", "delineaField": "username" },
{ "ssField": "Password", "delineaField": "password", "sensitive": true },
{ "ssField": "Environment Tag", "delineaField": "env_tag" }
]
}
],
"folderMappings": [
{ "ssPath": "\\Company\\Infrastructure", "delineaVault": "Infrastructure" },
{ "ssPath": "\\Company\\Applications", "delineaVault": "Applications" }
],
"defaultPermissionGroup": "MigratedSecretsUsers"
}
Run the Transform Script
■ Python Transform Script
# Install migration toolkit
$ pip install delinea-migration-tools
# Run transform (dry run first)
$ delinea-migrate transform \
--input ss_export_20250101.json \
--config transform_config.json \
--output delinea_import.json \
--dry-run # Remove for real run
# Validate transformed output
$ delinea-migrate validate \
--file delinea_import.json \
--schema delinea-platform-v2
# Review transform report
$ cat transform_report.json | jq '.summary'
Transform Validation Checklist
- ✓Dry-run produces zero errors in transform reportAny ERROR-level entries must be resolved before real run
- ✓All template IDs resolve correctly in transform configUnknown template IDs will cause those secrets to fail import
- ✓Folder path mappings cover all SS folder paths in the exportUnmapped paths fall back to root vault — verify this is intended
- ✓Sensitive fields remain encrypted through transformInspect output file — passwords must not appear in plaintext
- ✓Output secret count matches input export countCount transform.input vs transform.output in report summary
Phase 2 · Migration Runbook
Import Phase
Import the transformed payload to Delinea Platform in batches. Run in test first, then production. Monitor import logs in real time and be prepared to roll back.
Point of No Return: Once you begin the production import and send the user communication, plan to complete the cutover. Secrets modified in Secret Server after the export snapshot will not be reflected in Delinea Platform. Freeze Secret Server writes before beginning this phase.
1
Create Delinea Platform API Service Account
In Delinea Platform: Admin → Service Users → New. Assign: Vault Admin, Secret Creator, Permission Manager roles. Generate and securely store API credentials.
2
Run test import (first 50 secrets)
Import a slice of 50 secrets from each template type. Validate in the Delinea Platform UI: check fields, permissions, vault placement, and accessibility before bulk importing.
3
Bulk import in batches of 500
Use
--batch-size 500 to stay within API rate limits. Monitor error logs between batches. Pause and investigate any non-zero error rates before continuing.4
Import permissions and ACLs
Run the permissions import step separately after secrets are imported. Map SS groups to Delinea Platform roles. Verify that test users can access their expected secrets.
5
Rebuild checkout policies and rotation schedules
Checkout policies and rotation schedules don't export/import automatically. Use the audit from Phase 1 to manually recreate each policy in Delinea Platform.
■ Bulk Import Command
# Authenticate to Delinea Platform
$ delinea-migrate auth \
--tenant https://YOUR-TENANT.delinea.app \
--client-id CLIENT_ID \
--secret CLIENT_SECRET
# Dry run (always run this first)
$ delinea-migrate import \
--file delinea_import.json \
--batch-size 500 \
--dry-run \
--log import_log.json
# Production import
$ delinea-migrate import \
--file delinea_import.json \
--batch-size 500 \
--log import_log.json \
--on-error pause # pause | continue | abort
# Post-import count verification
$ delinea-migrate verify \
--expected 4821 \
--tenant https://YOUR-TENANT.delinea.app
Import Checklist
- ✓Secret Server is set to read-only mode before import beginsPrevent any writes during import window to avoid divergence
- ✓Test import (50 secrets) completes with zero errorsEach template type must be represented in the test slice
- ✓Bulk import log shows 0 ERROR entriesWARN entries are acceptable if understood; ERRORs are not
- ✓Post-import count matches expected valueRun delinea-migrate verify command; must show PASS
- ✓Permissions import completed and spot-checkedVerify 5+ users can access their expected secrets with correct permissions
- ✓Checkout policies and rotation schedules rebuiltAll policies from Phase 1 audit must be recreated
Phase 3 · Post-Migration
Post-Migration Validation
This checklist must be completed and signed off by both the migration engineer and a security approver before Secret Server is decommissioned. Do not skip any item.
0Validated
12Total Items
0%Complete
Data Integrity
- ✓Total secret count in Delinea Platform matches SS export countUse delinea-migrate verify — must return PASS
- ✓Random sample of 50+ secrets verified field-by-fieldCompare SS values to Delinea Platform values manually for sampled set
- ✓All custom template secrets fully populated (no missing fields)Filter by each custom template in Delinea Platform; inspect all fields
Access & Permissions
- ✓Privileged users can authenticate and retrieve secretsTest with 3+ different user accounts across different permission groups
- ✓Read-only users cannot write/modify secretsNegative access test: attempt to edit as read-only role — must be denied
- ✓Checkout policies function correctlyCheck out a secret, confirm it's locked to other users, check back in
- ✓MFA enforcement active on Delinea Platform tenantVerify MFA challenge appears for all non-service accounts
Integrations
- ✓All CI/CD pipelines successfully retrieving secrets from new endpointTrigger a test build for each pipeline; verify secret injection works
- ✓SIEM integration receiving audit events from Delinea PlatformPerform a test secret access; confirm event appears in SIEM within 5 min
- ✓Password rotation functions on at least one test secretTrigger manual rotation; confirm new password is set on target system
Audit & Compliance
- ✓Audit log continuity confirmed — historic SS logs preservedSS audit logs must be archived before decommissioning; verify archive accessible
- ✓Migration sign-off obtained from Security Owner and CISOBoth signatures required in change management ticket before SS decommission
Validation Complete: When all 12 items are checked, email the completed validation report (screenshot or export of this checklist) to the Security Owner, attach to the change ticket, and proceed to the User Communication plan.
Phase 3 · Post-Migration
User Communication Plan
A structured communication plan reduces helpdesk ticket volume, prevents access disruption, and builds user confidence in the new platform. Send communications on time — late notices cause panic.
Communication Timeline
T – 30 DAYS
Migration Announcement Email
Notify all Secret Server users of the upcoming migration. Include timeline, benefits, what's changing, and what users need to do. No action required from users at this stage.
T – 14 DAYS
Training Invitation & Resource Distribution
Send Delinea Platform onboarding guide, quick-start video links, and login instructions for the new tenant. Offer optional live Q&A sessions for power users.
T – 7 DAYS
Reminder + Parallel Access Period Notice
Remind users of the cutover date. Announce that both systems will be available (read-only SS, full Delinea Platform) during the 7-day parallel period.
T – 1 DAY
Pre-Cutover Maintenance Notice
Final reminder. Confirm the maintenance window time, expected duration, and that Secret Server will be in read-only mode during the window. Provide escalation contact.
T + 0 (CUTOVER DAY)
Cutover Go-Live Announcement
Send when Delinea Platform is live and validated. Include direct login URL, helpdesk contact, and known issues list. Confirm Secret Server is now read-only.
T + 14 DAYS
Secret Server Decommission Notice
Notify users that Secret Server will be taken offline in 14 days. Last chance to report any missing secrets or access issues. Helpdesk escalation path published.
T + 28 DAYS
Secret Server Decommission Confirmation
Confirm Secret Server is offline. Provide archive access process for audit log retrieval. Migration complete — close change ticket.
Email Templates
T–30 Days: Migration Announcement
›
Subject: [ACTION REQUIRED] Password Manager Migration — Secret Server → Delinea Platform
Team,
We are migrating from on-premises Secret Server to the Delinea Platform cloud service.
WHAT'S CHANGING
- Your secrets and passwords will be accessible at: https://[TENANT].delinea.app
- New login uses your existing SSO / Active Directory credentials
- All your current secrets will be migrated — no data will be lost
WHAT YOU NEED TO DO
- No action needed today
- Training resources will be sent in 2 weeks
- Watch for a calendar invite for optional onboarding sessions
CUTOVER DATE: [DATE] at [TIME] — brief 2-hour maintenance window
Questions? Contact: [SECURITY TEAM EMAIL]
— [Security Team]
T+0: Go-Live Announcement
›
Subject: ✅ Delinea Platform is LIVE — Action Required
Team,
The migration is complete. Delinea Platform is now your primary password manager.
YOUR NEW ACCESS URL: https://[TENANT].delinea.app
LOGIN: Use your existing [SSO/AD] credentials
MFA: You will be prompted to set up MFA on first login
WHAT TO DO NOW
1. Log in to https://[TENANT].delinea.app
2. Verify you can access your secrets
3. If anything is missing, email [MIGRATION TEAM] immediately
SECRET SERVER STATUS: Read-only until [DATE], then decommissioned.
Do not add new secrets to Secret Server.
NEED HELP?
- Quick-start guide: [LINK]
- Video walkthrough: [LINK]
- Helpdesk: [EMAIL] | [PHONE]
— [Security Team]
Communication Checklist
- ✓T–30: Announcement sent to all Secret Server usersPull user list from Secret Server directory; CC security leadership
- ✓T–14: Training resources and login instructions distributedInclude Delinea Platform quick-start guide, video link, and helpdesk contact
- ✓T–7: Reminder and parallel access period communicatedConfirm both systems available during transition period
- ✓T–1: Pre-cutover maintenance window notice sentInclude exact times, expected duration, escalation contact
- ✓T+0: Go-live announcement sent immediately after validationDo not send until post-migration validation checklist is 100% complete
- ✓Helpdesk team briefed and escalation runbook preparedHelpdesk needs: FAQ doc, access troubleshooting guide, escalation contact
Phase 3 · Special Handling
On-Prem Integration Treatment
Some secrets and integrations cannot simply "move to the cloud" — they depend on direct access to on-premises systems. Each category requires a specific bridging strategy. Never leave these unaddressed.
Common Migration Failure Point: Teams that migrate secrets without addressing on-prem dependencies discover broken integrations on cutover day. Address all items in this module before the production import begins.
On-Premises Dependency Categories
Remote Password Changing (RPC) to On-Prem Systems
›
REQUIRES DELINEA CONNECTOR AGENT
Secrets configured with RPC to Windows/Linux/AD accounts on internal systems cannot reach those targets from the Delinea Platform cloud without a bridging agent.
1
Deploy Delinea Connector on-premises
Install the Delinea Connector agent on a Windows Server (2019+ recommended) in each on-prem network segment that hosts RPC targets. The connector creates an outbound HTTPS tunnel — no inbound firewall rules needed.
2
Register connector with Delinea Platform tenant
In Delinea Platform: Admin → Connectors → Register. Each connector gets a unique identifier. Associate the connector with the relevant vault or secret policy.
3
Reassign RPC secrets to use connector
Post-import, edit each RPC-enabled secret to specify the connector it should route through. Test password rotation on one secret per connector before bulk-enabling.
# Install Delinea Connector (PowerShell, run on-prem server)
$ Invoke-WebRequest -Uri "https://download.delinea.com/connector/latest" \
-OutFile DelineaConnector.msi
$ msiexec /i DelineaConnector.msi \
TENANT_URL=https://YOUR-TENANT.delinea.app \
CONNECTOR_NAME="Corp-DC01-Connector" /quiet
Network Device Discovery
›
REQUIRES ON-PREM DISCOVERY ENGINE
Secret Server's Discovery scanner runs on your network to find accounts on servers, AD, and network devices. Delinea Platform's discovery uses the same connector agent framework.
- The Delinea Connector also handles Discovery — no separate agent install needed if RPC connector is already deployed
- Recreate Discovery Sources in Delinea Platform Admin → Discovery → New Source, pointing to the connector
- Run a manual discovery after configuration to verify account collection works before enabling scheduled scans
- Legacy scanner rules and import rules must be manually recreated in Delinea Platform
Active Directory / LDAP Integration
›
HYBRID — CONNECTOR OPTIONAL
Delinea Platform supports both cloud-native Azure AD / Entra SSO and on-prem AD via the Connector. Your approach depends on your AD architecture.
| Scenario | Approach | Complexity |
|---|---|---|
| Azure AD / Entra | Configure SSO directly in Delinea Platform — no connector needed | LOW |
| On-prem AD, not synced to cloud | Deploy Delinea Connector; configure LDAP source pointing through connector | MEDIUM |
| On-prem AD with AAD Connect | Use Entra SSO; AD groups sync automatically | LOW |
| Multi-forest AD | Connector per forest; configure trust relationships in Delinea Platform | HIGH |
Custom PowerShell / Script Heartbeat Checks
›
REWORK REQUIRED
Secrets with attached heartbeat or RPC scripts in Secret Server use script paths on the SS server. These scripts must be re-hosted and re-attached in Delinea Platform.
1
Export all scripts from Secret Server
Admin → Scripts → Export each Heartbeat, RPC, and Discovery script. Save to version control before migrating.
2
Import scripts to Delinea Platform
Admin → Scripts → New Script. Import content. Note that scripts run via the Delinea Connector agent in the on-prem network — update any hardcoded server paths.
3
Re-associate scripts with secrets post-import
For each secret requiring a custom script: edit secret → select Heartbeat/RPC script → choose the newly imported script. Test heartbeat on one secret before bulk-enabling.
Air-Gapped / Isolated Network Secrets
›
CANNOT FULLY MIGRATE — HYBRID APPROACH
Secrets used exclusively within air-gapped or highly restricted network segments (OT/ICS, classified networks, isolated labs) cannot be managed by a cloud service without a controlled egress path.
Recommended Approach: Maintain a minimal on-premises Secret Server instance (or a Delinea Platform Connector-only node) for air-gapped secrets. Migrate all other secrets to the cloud and document the hybrid architecture in your security baseline.
- Document which secrets must remain on-prem and why — this is a compliance and risk decision, not a technical one
- Establish a formal review cycle (quarterly) to reassess whether isolated secrets can eventually move to cloud
- Ensure on-prem Secret Server instance receives security patches even if no longer the primary vault
- If decommissioning SS fully: export air-gapped secrets to an approved local vault solution with equivalent controls
On-Prem Integration Checklist
- ✓Delinea Connector deployed in each on-prem network segmentVerify outbound HTTPS connectivity from connector to Delinea Platform
- ✓All RPC-enabled secrets reassigned to route via Delinea ConnectorTest rotation on one secret per connector before enabling all
- ✓Discovery sources recreated in Delinea Platform and testedRun manual discovery and verify accounts are collected correctly
- ✓AD/LDAP integration tested with production user accountsVerify group memberships sync and users can log in with AD credentials
- ✓All custom scripts re-imported and re-tested in Delinea PlatformEach script must pass at least one successful heartbeat/rotation test
- ✓Air-gapped secrets formally documented and hybrid approach approvedApproval from Security Owner; documented in security baseline
Migration Complete: With all nine modules completed and checklists signed off, your Secret Server to Delinea Platform migration is finished. Archive this guide with your completed checklists as evidence for audit purposes.