Azure AD and On-Premises AD mixed-mode support

Content

In previous releases of the MaaS360 platform (10.68 and earlier), MaaS360 only supported the following scenarios:

• Azure Active Directory authentication with Azure Active Directory visibility 
• On-Premises Active Directory authentication with On-Premises Active Directory visibility

For the 10.69 platform release, MaaS360 now supports Azure Authentication and AD/LDAP Authentication mixed mode setup.

Supported scenarios

The following mixed-mode scenarios for Azure AD (AAD) and On-Premises AD (OPAD) are supported or 10.69:

-Standalone: If a customer has configured only one authentication source, then MaaS360 authenticates with the configured authentication source.

• Azure Active Directory authentication and visibility: 
  • If a user is available in the MaaS360 Portal, Azure Active Directory handles authentication. 
  • If a user is not available in the MaaS360 Portal and Azure authentication is configured, Azure Active Directory handles authentication and the user is created in the MaaS360 Portal.
• On-Premises Active Directory authentication and visibility: 
  • If a user is available in the MaaS360 Portal, On-Premises Active Directory handles authentication.
  • If a user is NOT available in the MaaS360 Portal and On-Premises authentication is configured, On-Premises Active Directory handles authentication and the user is created in the MaaS360 Portal.

-Mixed-mode:

• If a customer has configured more than one authentication source, the following applies:
  • If a user record is available in the MaaS360 Portal and the user's authentication type is Azure or Active Directory, MaaS360 uses the authentication type that is selected for authentication.
  • If a user record is not available in the MaaS360 Portal, MaaS360 uses Active Directory to authenticate if Azure visibility is configured or Azure Active Directory if Active Directory visibility is configured.
    Note: If  a customer has configured Active Directory authentication and tries to configure Azure authentication with no configured visibility, MaaS360 displays a message recommending that the customer should configure at least one visibility.

Additional criteria for mixed-mode support

Active Directory Federation Services (ADFS) must be publicly available and using a public certificate in order for MaaS360 to successfully communicate with ADFS.

Limitations

The following scenarios and limitations are not supported for the 10.69 release: 

• If a customer has configured more than one authentication source and has not configured visibility on any of the sources or has configured both types of visibility, MaaS360 fails the authentication request for users that are not available in MaaS360.

• If a new user is added in Active Directory who is configured for visibility, authentication does not work for the new user until or unless the user is uploaded to the MaaS360 Portal (after a successful data fetch). 

• Using different domains for both Azure and Active Directory is not supported.
• Visibility in both Azure and Active Directory for the same customer is not supported.
• If a user receives a new domain after a device is migrated from an old domain, you might have to re-enroll the device if policies do not work on the device.