Just wondering, what all is there when you’re in Epicor’s cloud to secure access to your environment so that only authenticated people can attempt to log in/log in.
Oddly phrased question probably so if I can clarify please let me know.
Thanks in advance for real world security options y’all are using with Epicor’s cloud offering.
-Utah
@utaylor there are few posts on the forum discussing this topic.
Basic authentication - native epicor application username/password
Epicor Identity with MFA
Azure AD
At some point we get should the ability to limit the IP address a user connects from by providing a whitelist of IPs.
I worked with an consultant from Epicor to help configure our SSO, took an hour.
The three I know:
Basic, EpicorIDP, EntraID (Azure)
thanks Bryan, I did try to find some consolidated thread of options before posting and didn’t find anything super concise, but I didn’t really try that hard to read all the related posts and then make a concise summary of my own either.
I was specifically trying to understand with the azure piece of it, can we utilize anything further to whitelist IPs in Azure @bderuvo ?
What do they call that again @Mark_Wonsil , ah yes I think when you base things off conditions it’s conditional access.
Authentication vs. authorization - Microsoft identity platform | Microsoft Learn
Pretty sure it’s this:
So if we can use EntraID can we do this too @klincecum ?
Conditional Access - Block access by location - Microsoft Entra ID | Microsoft Learn
With Azure AD there is some trivial access control - you have to put in the site ID to be able to get to the login screen. Its enough security to keep our users and Epicor support out 
Okay, is that all we get when using Azure AD?
There’s not conditional access available to us?
There is a fourth option too.
Connect all your Epicor systems to Epicor IdP. And then connect Epicor IdP to Entra ID (Azure AD). That way you only have to manage the connection to Epicor IdP and the rest is handled by Epicor. Also you get the Entra ID login for Epiccare, Epicweb etc.
And yes, conditional access can be applied to both IdP with Entra ID and direct Entra ID. To allow MFA rules along with location checks, compliant device etc. Caveat, as Mark says, with Entra licensing. Otherwise you get security defaults.
Entra ID has several levels of Conditional Access. You need at least P1 to get Conditional Access. If you are a Microsoft 365 Business Premium user, then you also get P1 included with your subscription.
What is Conditional Access in Microsoft Entra ID? - Microsoft Entra ID
Hi, I would like to continue this conversation. We are planning to go Live on Kinetic Cloud from Epicor10 on-prem and are evaluating options for user access. We are implementing most users on browser with possibly a couple of users on Smart-Client. We are going towards Epicor IDP which has MFA capability. I am planning to require IDP and MFA for all users. We may enable the “remember machine” option to reduce MFA inputs especially for MES/Shop users.
Are you using Browser or Smart Client for Kinetic Cloud?
Do you allow users to access Kinetic Cloud using Basic (user/pw) authentication?
Do you allow users to access Kinetic Cloud using Epicor IDP with/without MFA?
Have you enabled the “remember me” or “remember this device/machine” option to reduce MFA inputs? In Epicor IDP this can only be set at the company level and not at the user level so this setting applies to all users.
How are MES/Shop users accessing Kinetic Cloud? Do they login with shared Epicor user accounts? Do they use Epicor basic authentication? Do they use MFA?
Do you use Password and/or Lock Out Policies in Epicor?
Do you allow multiple sessions on any users?
What other identity provider (Entra) or strategy are you using?
Please share your access controls/experiences for cloud implementation. Thanks, I look forward to hearing about your experiences!!
You can use azure/entra or idp.
We use entra with MFA and use conditional access policies.
We have a mix of smart client and web ux users. Separate app registrations are setup for each interface and instance.
Sso is required, so password and lockout polices are handled with entra.
The setup and config is in epicare, I can link it later. We did the entra setup and set epicor what they needed.
I will be discussing this during my insights presentation for anyone attending insights.
Thank for your response, it sounds like Entra has much more granular capability than Epicor IDP. Perhaps Epicor IDP will have more options in the future such as when they move to Linux based containers. User access is such an important step when moving to the cloud. I have been told there are Cloud companies using just basic authentication which from my reading is not very secure even when over https.
Well, IdP can work with Entra as well. I’m sure someone here who’s using it (or @olga) can explain. But I recall being able to link an Entra account to IdP and it would log you in. IdP is a way to eventually get all of the Epicor products (Kinetic, ECM, EpicCare, Epicor Ideas, EpicWeb, …) under one authenticator but also work with others.
It’s fine unless someone gets your password…
That’s going to be a great session and one that everyone should attend. Thanks for taking the time to spread the word cause Epicor never mentions any of this when they talk cloud with people. IMO they don’t do enough to educate their clients on the security risks involved with authentication when going to the cloud.
I agree, I think security should be one of the first conversations when moving to the cloud. Epicor IDP was very straightforward to setup and includes MFA for the extra layer of security. In addition, setting up Account lockout and Password policies in Epicor. There is also the option to “remember machine” when logging in with MFA which is very helpful for the MES/Shop computers.