Azure AD authentication in cloud

Who is successfully using Azure AD authentication in Epicor cloud? Can you tell me how its working for you? How did you solve these challenges?

-First time a user logs in using Azure AD (client or browser), they are prompted to enter the tenant ID (aka site ID). I can’t see adding a totally unnecessary step that a lot of users will screw up and then not be able to log in.

-In the client, if clicking launch Kinetic in the browser, that url redirects to an Epicor-Basic-Auth only login screen, even though when accessed through another url, Azure login is available for that user.

-Cloud team refuses to modify sysconfig file on the server. Answer is, change it yourselves in user settings. Even though it is obviously possible for us to deploy our own config file, it introduces tremendous complexity. Do we have them do the basic install from the download site first, and then have some process where they open a help desk ticket so we can place the correct config file for them? Do we take over the entire client install process ourselves, noting the process will have to be rebuilt twice per year due to upgrade and taking away a major value prop of cloud which is that users can self-serve their own install?

-Even if cloud team were willing to modify the sysconfig file on the server, what to do about users that DO still need to use basic auth? All the complexity noted above ensues as far as managing different config files for different users. Unless there is a way to have a single config file that provides an option to log in either way? Or separate app servers, one for each authentication method? The file we are testing with just goes straight to the Azure authentication process with no option to pick basic.

-No ability to alias external identity in Epicor user account. We only get to enter a single external identity. But lots of users have multiple email addresses. Then if they put the wrong one in the authentication process the login fails. But it doesn’t tell them which one they are supposed to use.

That’s odd the new version of the browser prompts us for either Azure or Basjc out of the box they must have something configured incorrectly in their setup

I’d escalate that the current 2023.x version definitely has the ability to prompt it even does it in EMWW and Expense Apps and we didn’t have to configure anything special on our side just enable Azure AD and Basic.

In the browser (and apps) we get prompted with both options now

Our classic defaults to Azure AD and for those users that need basic we just deploy another sysconfig to the client with a change in this line

 <AuthenticationMode value="AzureAD" options="Windows|AzureAD|IdentityProvider|Basic" />

That is a reasonable thing IMO at least while the fat client is around but I see the inconvenience for SaaS customers I suspect the goal is to push to the browser where the choice is given without special files.

As far as the aliasing goes for Azure AD users should be using their primary username / password that they use to login to their workstations and or email. I’m not sure there’s much of a scenario where a user has many multiple accounts that they are logging in with all the time except for some IT Staff and they should know better. Should be pretty simple to say login using your main work email address and password the same one you use to authenticate on your computer.
It can’t tell you which one you are supposed to use that’s a security issue if you went to login to your bank account and it said wrong username and password try using “jsmith@validemail.com instead” that would be giving away half of the authentication protection

2 Likes

What do you get if you visit

https://YourCloudAddress/YourCloudInstance/api/.configuration?tenantId=

If your azure is configured properly you should receive azure info in this request that’s what sets up the browser / dropdowns should look something like this.

2 Likes

How though? Are you asking users to put the file in the right place themselves?

No we use GPO our whatevef your standard IT Deployment infrastructure is.

1 Like

Yes that is what I see on ours too. Like I said if I go to the url with azure method set in the url it works fine. But if the user clicks to launch the browser from the client it forces to basic auth, can’t see why.

1 Like

One by one? Or you just put all those users in a special group? Just trying to think of how to make it manageable.

1 Like

Depending on how your network admin is configured you can create a Group for these users and then deply that way via GPO or AD it really dpeends on what tools you have available.

2 Likes

How to disable the basic authentication ?

1 Like