Hi, is anyone privvy to whats coming in the next release of Epicor?
I have come across this check box within User Account Security Maintenance and i cannot figure out what it does so im presuming its related to the next release.
I am hoping we will be able to whitelist IP adresses for those accounts where SSO isnt possible. Similar to a simple Conditional Access policy in AzureAD using Trusted Locations.
I saw this too. wondering the same thing.
According to the release notes from 2023.1:
"FEATURE:
Set up user accounts so the system validates IP addresses when users log into the system. Do this by selecting the Restrict IP check box on a user account. When a user attempts to log in and the system cannot validate the user’s IP address, the user is denied access.
Review the Adding New Users in User Account Maintenance help article for more information.
BENEFIT
This feature improves security, making sure that all user IP addresses are valid. System administrators control which IP addresses can access the system on a master list (allow-list)."
Unfortunately the help article mentioned says nothing about it, and I cannot find where a System Admin could maintain the master list.
Any news about this feature?
Yeah! I would certainly like all these anomalies on my logon failure report to go away! I get consistent failures every 30 seconds for users that recently changed their passwords. I haven’t figure out how to stop it yet, but whitelisting IPs would give me some extra sense of security. Epicor support was completely useless when presented with this issue.
Stop using basic authentication? 
Just a friendly suggestion. 
I wish it seemed that simple from my end! I have no idea how to implement this.
Epicor’s IdP or Microsoft Entra? For cloud users, it’s far more secure.
Entra runs $6, $9, $12 per user per month. Based on features selected. I would be interested in anyone’s comments on using this option.
You get many Entra P1 features if you are a M365 Business Premium user, which is meant for companies with 1-300 users. For $22/user/month (often cheaper through retailers like Insight or CDW), you get:
If I understand this correctly, I just have to get our company to buy the M365 Business Premium, and that will enable Epicor IdP?
I’m an on-premise installation. I’ve been testing using Entra for authentication instead of basic authentication and am getting close to making the decision to deploy for production.
We use Microsoft/Office 365 and are configured with a hybrid domain, so most of our users have an Office subscription that includes Entra. Since we have our internal AD connected to Azure, all of our domain accounts are represented in Entra, though not all have subscriptions.
Whether is is intentional or not, I have confirmed that I can use Entra ID to authenticate users in our domain that don’t have an Office 365 account. I think this may be the Entra ID Free version, but it might also be an undocumented feature.
My goal for moving to Entra authentication is to force MFA when a user tries to log into Kinetic from outside our network and I have tested this capability successfully with Domain/Entra accounts with and without Office 365 subscriptions.
Since it is impossible to completely eliminate basic authentication, I too looked into the Restrict IP switch especially after talking to a tech at Insights. I initially hit a dead-end talking to support about this feature, though did eventually have an Epicor employee reach out to me with information about it.
You may be able to get configuration information from Technical Support about configuration.
Basic is handy for simulation testing as another user, although if you are using SSO you can Run as another user if you want to. So you can argue it’s not needed any more.
That allows you to use Entra for Kinetic. You need to update the User Account to tell Kinetic which login id to use (normally email address), set up Kinetic Client and Server in Entra, and then give Kinetic your Entra Info. It’s in the Install Guide.
At present, at least for on-premise, there must be a basic authenticated account that is System Manager used for the Epicor Administration Console.
Yes, the EAC can be run remotely, but I’m not sure I would - if for no other reason that it uses Basic Auth.
Task Agents can be Entra ID:
