I am trying to follow the 10.2.700 new install guide for Azure AD authentication setup within the azure portal and this step doesn’t align with the portal. I can’t find the “Azure Active Directory Settings Maintenance” screen… Has anyone set this up recently that could help me out?
I assume your a security manager?
Great, thank you so much… very vague as you can see in the guide. I am not super familiar with azure in Epicor, it would’ve been cool if they said in that the program is in epicor not in the azure portal.
The word “Maintenance” in the guide tipped me off. I haven’t seen screens called that anywhere else, lol.
I mean I am so unfamiliar with Azure portal that I wouldn’t know if they have a maintenance tab or not haha, but you’re right, I should’ve been tipped off by that cause almost everything in epicor is called maintenance. Thanks so much man
Lemme know how it goes.
We were looking at Azure AD as a replacement for SSO when we go full browser Kinetic.
One of the biggest differences between Active Directory and Azure Active Directory is that you register applications in AAD. You will have a tenant ID and a Client(Program) ID once you register it in AAD. You’ll need those values to set up the Azure AD Settings later in Epicor.
@Mark_Wonsil So I have been wondering what happens to Epicor access if you loss internet access for a week because of a hurricane and are running on a generator.
A typical setup is an on-prem AD instance that syncs to AAD. In the event of loss of connectivity this will serve as the AD authority
Without Internet, you won’t be able to tell us about it here.
Seriously, every company should have business continuity plans. Without Internet, you wouldn’t have email, or incoming orders, or shipping capability with UPS/FedEx, etc. An on-prem Epicor system would be hidden from the world too.
Microsoft has recommendations for thinking about these situations, including ID token lifespace, etc. ID tokens are different than access tokens, which your Epicor system would still be refreshing once an hour.
The concern with syncing AAD with AD is that you’re vastly increasing your attack area. All AD vulnerabilities expose your cloud authentication either because they are synced or, as in the SolarWinds example, the trust level between the two systems were abused by the threat actors. And there’s PrintNightmare, and PetitPotam, and…
Not to say that AAD doesn’t have issues either. Any vulnerabilities there would get synced down to AD.
There’s been talk within the security community to not link the two in order to reduce the attack surface.
There’s no winning this game, only losing a little less each time
I like that quote Aaron!
Jose has done it already and says it works great, I will let you know as soon as I finish the config!
Looking forward to using it.