Platform Upgrade Center
Training Guide

The Platform Upgrade Center option will not appear in the Settings menu unless the Secret Server Administrator role has all three of the following permissions enabled.

• 01Navigate to Admin → Roles and open the Secret Server Administrator role.
• 02Ensure the following permissions are enabled: Administer Platform Integration, View Platform Integration, Migrate Data to Platform.
• 03Save the role. Then navigate to Settings → Platform Upgrade Center to confirm the option is visible.

If your SSC instance uses Active Directory synchronisation, Delinea requires five preparatory steps from the Quick Start Guide for AD Customers before starting the Upgrade Center — skipping these causes group sync failures post-upgrade.

• 01Add the Platform System Administrator group to the list of synchronized groups: Secrets Administration → Platform Upgrade → Groups tab.
• 02Add a Secret Server Administrator role to the new Platform System Administrator group so your domain account retains SS admin rights post-upgrade.
• 03Ensure your personal domain admin account is a member of the Platform System Administrator group.
• 04Provision one (minimum) or two (recommended) Windows Server 2019+ VMs to host the Delinea AD Connector.
• 05Confirm the AD Connector servers meet requirements: domain-joined, no outbound SSL inspection, outbound TCP 443 to delinea.app.

The cloudadmin@[tenantname] account is the first account on the Platform. It is a local account with no SSO dependency. Ensure you have this account's credentials stored offline before starting the upgrade — it is your only access path if SSO fails during Step 5 (Federation).

Navigate to Admin → Distributed Engine → Manage Sites. All engines should show a green Online status. Engines in a degraded or outdated state must be resolved before proceeding with the upgrade.

Status	Meaning	Action Required
● Online	Engine healthy and communicating	None — proceed
● Needs Update	Engine version behind current SS version	Run engine updater on host
● Offline	Engine not responding to SS	Check service, firewall, connectivity
● Initialising	Engine recently restarted	Wait 5 min then recheck

After upgrade, all engine communication moves to the new Platform domain. Add the new outbound rules to perimeter firewalls and proxy PAC files covering each engine host before the upgrade begins.

Open Secret Server Cloud and navigate to Settings → Platform Upgrade Center. Begin Step 1 to provision your Platform tenant. If branding customisations exist in SSC, they will be automatically copied to the Platform tenant at this stage.

• 01In SSC, go to Settings → Platform Upgrade Center.
• 02Click Start on Step 1: Provision Platform Tenant.
• 03Confirm or adjust the tenant name (typically same as SSC name).
• 04Confirm the region (defaults to your SSC region).
• 05Click Launch Platform once provisioning completes.
• 06You will be prompted to set a password for the cloudadmin account — record this securely.
• 07Once logged in to the Platform, navigate to the Platform Upgrade Center from within the Platform to continue with Step 2.

For AD environments, the Upgrade Center automatically creates two Identity Policies: an Allow List policy scoped to the "Secret Server Directory Users" group, and a Deny policy for all other users. Review these policies and customise them to your security requirements.

• 01Navigate to Settings → Identity Policies on the Platform.
• 02Review the auto-created Allow List policy — it mirrors the default policy but is scoped to group membership.
• 03Confirm the Secret Server Directory Users group is included in the Allow List policy.
• 04All existing AD-synced users and new synchronized users will be automatically added to this group.
• 05Adjust MFA requirements, session duration, and other policy settings to match your security standards.

The AD Connector is downloaded from within the Platform. It is installed on a Windows Server 2019+ machine that is domain-joined to the forest containing your AD users. The same server running a Distributed Engine can be used, but check minimum requirements differ.

• 01In the Platform, navigate to Settings → Connectors.
• 02Click Add Connector.
• 03In Box 1, click Download to get the 64-bit Connector Installer.
• 04In Box 2, copy and save the Tenant URL.
• 05Generate or copy a Connector Registration Code — save it for the installer wizard.
• 06Copy the installer to the target connector server and run it as Administrator.
• 07In the Connector Configuration Wizard, select Use Registration Code and paste the saved code.
• 08The wizard reads the forest and displays all domains — select the domains to connect.
• 09Return to the Platform and confirm the connector shows as Connected.

The Upgrade Center detects any Entra ID tenants currently in use by Secret Server and presents this step. An Azure application registration is required to enable the Platform to authenticate against Entra ID. Choose one of two methods:

Method	Who Manages Azure	Best For
Delinea-managed app	Delinea handles Azure components	Customers who want minimal Azure admin overhead
Customer-managed app	You create & manage the Azure app registration	Customers who require full Azure resource control

• 01Click Start on Step 4 in the Upgrade Center.
• 02Select your preferred method (Delinea-managed or customer-managed).
• 03Follow the configuration wizard to complete the Entra ID app registration.
• 04Return to Upgrade Center and click Refresh to confirm the Entra ID tenant shows as connected.
• 05Mark the step complete.

Add federation providers (Okta, Entra ID / Azure AD, Ping, ADFS, etc.) following the Delinea SAML & OIDC Federation guides. Critically, the new ACS URL and Entity ID use the delinea.app domain — update these in your IdP application before testing.

Use the correct user mapping settings based on your user population:

User Type	Map Federated User	Create local if unable to map
AD users logging into Platform	Required	DISABLED
Non-domain users (local SS users)	Required	ENABLED

This step copies Secret Server roles, local users, and local groups into the Platform. Understand what gets created:

SS Object	What Gets Created on Platform	Effect in SS
SS Roles	Platform roles prefixed with "Secret Server " (e.g. "Secret Server Administrator")	No change to existing roles
Local Users	Copied to Platform with password hash; Thycotic One users invited to set a password	Users exist in both until login
Local Groups	Platform groups created with same name, set to "Managed by Platform"	Groups become read-only in SS
Group → Role associations	Group becomes member of matching Platform role	Permissions remain equivalent

• 01Start with a pilot: select 2–5 users representing different role types.
• 02Run the migration for the pilot group and validate login and SS access.
• 03Confirm migrated users can log in via the Platform URL and see their secrets in SS.
• 04Once pilot is validated, migrate remaining groups in batches.
• 05After all groups are migrated, users can authenticate to either SS or the Platform equivalently.

Executing Step 7 unifies management. From this point, any changes to user details, group membership, or role assignments must be made in the Platform — they replicate down to Secret Server automatically.

• 01Confirm all users, groups, and roles from Step 6 are verified and correct.
• 02Confirm all federation/SSO integrations are working (Step 5).
• 03Click Complete Upgrade in the Upgrade Center.
• 04Verify that Roles and Permissions in SS now show as read-only.
• 05Communicate to all users that the Platform URL (delinea.app) is now the primary access point.

PRA handles all privileged session proxying. Before modifying engine or gateway configuration to point at the new Platform URL, drain all active sessions and put the PRA gateway in maintenance mode to prevent in-flight sessions from being interrupted.

• 01Send user notification (minimum 30 minutes): all PRA sessions will be terminated.
• 02Navigate to Admin → Session Recording and verify zero active sessions.
• 03Put PRA gateway in maintenance mode (blocks new sessions, allows active ones to complete).
• 04Export current PRA gateway configuration: engine address, port, certificate binding.
• 05Update the PRA gateway callback URL to the new Platform tenant URL (delinea.app).
• 06Take PRA out of maintenance mode and validate a test session launches successfully.

Continuous Identity Discovery (CiD) extends the discovery capabilities of Secret Server Cloud on the Delinea Platform. It is a subset of ITP/PCCE (Identity Threat Protection / Privilege Control for Cloud Entitlements) and continuously inventories privileged accounts, shadow admins, and unvaulted credentials across cloud services and applications — without requiring custom scripts.

PCCE adds full Cloud Infrastructure Entitlement Management (CIEM) and Identity Threat Detection and Response (ITDR), enforcing least privilege across AWS, Azure, GCP, and SaaS platforms using ML-based analytics.

What CiD / PCCE discovers:

• 01Inventories — Centralised view of all identities, groups, and assets across cloud services. Visibility into privileged accounts by permissions, roles, groups, and federations.
• 02Checks — Continuous monitoring for identity misconfigurations and over-privileging: unvaulted admin credentials, shadow admins, stale access, and PAM bypass detection (direct cloud logins that circumvent the vault).
• 03PCCE Cloud Entitlements — Right-size permissions across AWS, Azure, GCP, and SaaS. Detect privilege escalation paths, incomplete off-boarding, and federated account sprawl.

Engine requirement for CiD / ITP: A Platform Engine with the ITP for Active Directory or cloud workload capability must be installed and healthy in a site with network access to the relevant directory or cloud environment.

• 01Navigate to Engine Management → [Site] → Engines → Capabilities → Add Capabilities and add the ITP for Active Directory workload to an engine with domain controller access.
• 02For cloud sources (AWS, Azure, GCP), navigate to Integrations → Sources → Create Source. Select the cloud provider type (Threat Protection).
• 03For AWS: ensure AWS CloudTrail is configured and writing logs to an S3 bucket before integrating. The platform uses an assumed-role integration (CloudFormation StackSet recommended for multi-account).
• 04For Active Directory CiD: provision a service account with Domain Admins or Administrators membership on the engine host; add it as the credential secret for the AD source.
• 05Navigate to Inventory → Identity Posture → Checks and review: Unvaulted Admin Credentials, Unvaulted Privileged Accounts, and PAM Bypass checks.
• 06For accounts flagged as unvaulted, vault them directly from the Inventory view or define reports for scheduled compliance reviews.
• 07Customise privileged and admin account definitions under Inventory → Collections → System if the defaults don't match your organisation's standards.

PCS on the Delinea Platform uses an agent installed on managed Linux/Windows servers. If you are enabling PCS post-upgrade, install the Delinea Agent from the Platform Marketplace, run Discovery, and configure Authentication Profiles and PCS policies.

• 01In the Platform, navigate to Marketplace → Download Center. Search for Agent and download for your OS.
• 02Install the agent on each server to be managed. For Linux, ensure Perl and forward/reverse DNS are in place.
• 03Run Discovery from the Platform to detect and inventory the newly-agented machines.
• 04Configure Authentication Profiles for Endpoint Login and Local Administrator Privilege policies (do not set Challenge 1 to Password).
• 05Set up PCS Policies and validate session recording is functional for agented Linux hosts.

Navigate to Engine Management in the Platform. All Platform Engines should show as healthy. Engines transmit their status continuously — if the Platform finds a status is outdated, it automatically sends upgrade instructions.

• 01Navigate to Engine Management in the Platform left navigation.
• 02For each site, open the site and review the Engines tab.
• 03Confirm engine version and status. Engines on version 1.5.8+ will auto-upgrade.
• 04For any engine showing unknown exceptions, follow the manual upgrade procedure: run the uninstall PS script → wait for engine to disappear from site → click Add Engine to reinstall the latest version.

Platform Engines can be extended with additional capabilities (workload packages) for features like PCS, PRA, CiD, or Continuous Identity Discovery. Add capabilities to existing engines without reinstalling the engine base service.

• 01Navigate to Engine Management → [Site Name] → Engines tab.
• 02Select the engine you wish to extend.
• 03Click the Capabilities tab, then Add Capabilities.
• 04Select the desired capability (e.g. PCS, PRA) and click Add.
• 05Confirm the new capability appears in the capabilities table.

Before importing secrets from an external vault, ensure the destination Platform Secret Server has all required Secret Templates in place, the folder structure is created, and permissions are assigned. Importing secrets before their template exists causes import failures.

Export secrets from the source vault using that vault's supported export format. For Secret Server (on-prem source), use the built-in Admin → Export / Import → XML export with a passphrase. For third-party vaults, use their API or CSV export capability and map field names to SS Template fields.

• 01For SS on-prem source: Admin → Export / Import → select root folder → XML format → set passphrase.
• 02For CyberArk / HashiCorp / BeyondTrust: use their export API or admin CLI; export to CSV with field headers matching target SS template fields.
• 03Record the pre-export secret count from the source system.
• 04Store the export file in an encrypted external location — never on the source or target server.
• 05Store the export passphrase separately from the export file.

Use Admin → Export / Import → Import in Platform Secret Server to import the file using the passphrase. After import, run a reconciliation check comparing secret counts and spot-checking a random sample.

• 01Navigate to Admin → Export / Import in Platform Secret Server.
• 02Select Import, upload the export file, and enter the passphrase.
• 03Review the import preview — confirm folder mapping and template matching.
• 04Execute the import and monitor the progress log for errors.
• 05Compare total imported secret count against pre-export count from source.
• 06Spot-check 10–15 randomly selected secrets: verify field values, template, folder, permissions, and heartbeat status.

Test every configured authentication path from the Platform URL using test accounts representing each method. Include MFA challenge scenarios.

Retrieve secrets from at least three template types and run forced heartbeat checks. Trigger a test Remote Password Change on a non-critical account to confirm the full RPC pipeline through the Platform engine is operational.

Every system calling the Secret Server API must have its base URL updated from secretservercloud.com to delinea.app. Test OAuth token acquisition and a representative API call on the new endpoint.

Trigger auditable events (login, secret view, failed login) and confirm they arrive at the SIEM with correct format. Note: Platform event source identifiers may differ from SSC — update SIEM parser rules if needed.

Validate ticketing-based access request workflows and explore the Delinea Marketplace — the Platform introduces native integrations for PRA, ITP, Continuous Identity Discovery, and third-party tools not available in SSC.