Problem
Customer migrated all users from username/password to Azure SSO with conditional access, and they planned to change on tenant level "Disable standard login (Ensure SSO is working first, to prevent a lockout.)."
The problem is after changing all users, the API scripts fail now as the login does not work anymore, and we see in the logs a failing on login my manual login as obviously the account is SSO configured for our security baselines. Customers need to be able to lock down SSO on tenant level and all account levels for security baseline requirements and still support API functionality we use to generate PowerBI dashboards etc.
Solution
This API access is the reason we have the ability to mark accounts as not SSO enabled.
So even though their setting will be to disable SSO for users. They can individually keep some account SSO disabled so it can be used via patch daemon etc. When clients enable these settings, In such a situation, a login page will not allow standard login, but it can be accessed via API.
Expectation is all logins can only be via SSO, and our login screens behave that way by disabling standard login.
Please Note: A root can disable its or other users' SSO requirement individually in user management.
So, although such a user can still use standard login, but the same user could be used by patch daemon or API to bypass SSO. When the “Disable standard login” option is selected.
The disable SSO option is for all users except Root admin and Partition Admin. User Management can do “Use SSO for authentication” which will disable standard login for user and login authentication type available in User Management tab, and they can switch all accounts to SSO.
Jul 07, 2021 07:48 AM