As of June 4th, 2024, authentication to On Demand will only be available through Microsoft Identities. Quest accounts will no longer be supported.
Authenticating through Microsoft Entra ID provides more native granular control and allows you to manage your configuration from a central location.
This change allows for advanced security layers that you can configure from your own conditional access policies. More specifically, you can choose to configure MFA from within your tenant, integrate with OKTA, or benefit from other integrated applications that work with the Microsoft Authentication Library (MSAL).
To provide granularity and control to On Demand, we have added the ability to restrict access to only authorized users and domains.
We will be working on adding support for AAD Groups this year to On Demand to bring in more integration with Entra ID and again give you – the customer – more control on access from within your Tenant.
The email address will remain the main primary entity to check On Demand Organization membership!
We do have unique checks behind the scenes per tenant and mainly following the OID and TID claims but it is very important to persist the same email addresses for On Demand Administrator or to make sure the correct ones are added before the cut over date. Otherwise, you will have to submit support cases to get some help with this while you validate your ownership and membership of the organization!
A new App registration <Quest On Demand> will be used for authentication, this will replace the old Quest app.
The ability to sign in with a Quest account will be deprecated on May 7, 2024 and will be removed completely on June 4th, 2024. You can, however, move to Microsoft Identity now by selecting to Sign in with Microsoft from the On Demand landing page.
Sign in with Microsoft to On Demand
Go to Quest On Demand and select to Sign in with Microsoft to authenticate using Microsoft Entra ID.
Part of this move is the requirement to create a new Application Registration to handle authentication following the least privileged principles. All users logging in to On Demand will need to reconsent to the Quest On Demand application to gain access. The verified publisher domain and permissions will be clearly labelled and detailed.
Every user logging on to On Demand will need to consent to this application. If users do not have privileges to grant consent, a global Administrator in the organization can grant consent on behalf of the whole organization.
To access On Demand after June 4th, 2024, all members of your organization must be logging in using their Microsoft Identity. Ensure that all members of your organization are using Microsoft identities and review the RBAC assignments to avoid any access disruptions.
Recovery account recommendation
We recommend an external account added to an organization that could be used in case access is lost. This external account should be a Microsoft Entra account from a tenant that is different from any user accounts normally used to access an On Demand organization. For details see Microsoft’s documentation Manage emergency access accounts in Microsoft Entra ID.
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center