I have configured the Azure AD Authentication recently in our organisation, Everything is fine but the challenge is I want to force the user to authenticate only through Azure (External Identity) not using Basic Authentication Method. How can I remove the entry from the User Account Type drop-down or force the user to login only Azure AD
Check the require SSO box on their user account.
3 Likes
I did it but no change i belive something need to be done in the web config part
You have that box checked, and the user is still able to log in with basic authentication?
Keep in mind, the two options are always going to show in the drop down list. But once you require SSO on their user account, they will not (should not) be able to log in using the basic auth. If they can you have a bigger problem that needs to go to support.
I enabled RequireSSO for the user, still the user can able to login using username and password that is my concern
Seems like they are either in a different environment, or using a different account than the one you are setting as sso required, or there is some other disconnect going on, because I have never seen that.
if the user is having security manager access will it override the require sso option
Why are you trying to require SSO for a security manager? They can change their own settings anyway so what is the point?
2 Likes
This is just a dev environment and testing myself for the login . I have security manager access.
Requiresso option is working for client desktop application but it is not working for the users who login through browser
You might be able to set “Allow Password Change” to false and then expire their password. YMMV.
You can’t change passwords in DMT, but you could blank the password and then enter one that they won’t know. It’s a little work, but might be one sure way to keep them from logging in with their password. 
It seems like a workaround, is it possible to edit any confit file or data where this values are coming
@fvodden asked about this years ago and I don’t recall any setting to control this. There was also a discussion about what to do when your third party ID provider is unavailable. 
The appServer seems to always allow Basic Auth, at least through 2024.1
Epicor is not stopping user to login using basic authentication which is not fulfilling the purpose of enabling azure ad
1 Like
Mohamed, are you on prem? \
Yes epicor is in on premise
Okay, so I think like Mark was showing you would need to deploy/configure the app server to allow only SSO… is that what you were getting at @Mark_Wonsil ?
I have configured the app server as Allow Azure Authentication and enabled default client authentication as Azure and even I have enabled require sso enabled. The sso is working for desktop user but when user login through browser it is showing option to select basic and they are trying to login using username and password
I don’t think that was the purpose. They had basic auth first which assumes the company has no other identity providers. They added Windows Auth, then Entra ID (Azure ID), and Epicor’s own IdP as alternate methods. The Use SSO Only flag applied to Windows only for awhile, but maybe that’s changed.
I would enter an Epicor Idea and see what the interest would be.
2 Likes