Final Notice: Modernizing On Demand Identity Management
説明
Final Notice: Modernizing On Demand Identity Management
対策
In response to customer feature requests, we are pleased to announce that On Demand authentication will now be managed completely by Microsoft Entra ID
What is changing and why?
On July 15th, 2024, authentication to On Demand will only be available through Microsoft Identities. Quest accounts will no longer be supported.
Authenticating through Microsoft Entra ID provides more native granular control and allows you to manage your configuration from a central location.
This change allows for advanced security layers that you can configure from your own conditional access policies. More specifically, you can choose to configure MFA from within your tenant, integrate with OKTA, or benefit from other integrated applications that work with the Microsoft Authentication Library (MSAL).
We will be working on adding support for AAD Groups this year to On Demand to bring in more integration with Microsoft Entra ID and again give you – the customer – more control on access from within your tenant.
The email address will remain the primary entity to check On Demand Organization membership.
We have unique checks behind the scenes per tenant that follow the OID and TID claims but it is very important to persist the same email addresses for On Demand Administrator or add an updated email before July 15, 2024. Otherwise, you will have to submit support cases to help with this while you validate your ownership and membership of the organization.
A new application registration, Quest On Demand, will be used for authentication. This replaces the existing Quest application.
When is the change taking effect?
The ability to sign in with a Quest account was deprecated on June 4th, 2024 and will now be fully retired on July 15th. You can, however, move to Microsoft Identity now by selecting to Sign in with Microsoft from the On Demand landing page.
Actions Required:
Sign in with Microsoft to On Demand
Go to Quest On Demand and select to 'Sign in with Microsoft' to authenticate using Microsoft Entra ID.
Consent new On Demand Application
Part of this move is the requirement to create a new Application Registration to handle authentication following the least privileged principles. All users logging in to On Demand will need to reconsent to the Quest On Demand application to gain access. The verified publisher domain and permissions will be clearly labelled and detailed. Every user logging on to On Demand will need to consent to this application, but a Global Administrator can consent on behalf of the whole organization if you wish.
Review RBAC assignments!
To access On Demand after July 15th, 2024, all members of your organization must be logging in using their Microsoft Identity. Ensure that all members of your organization are using Microsoft identities and review the RBAC assignments to avoid any access disruptions.
We recommend an external account added to an organization that could be used in case access is lost. This external account should be a Microsoft Entra account from a tenant that is different from any user accounts normally used to access an On Demand organization. For details see Microsoft’s documentation Manage emergency access accounts in Microsoft Entra ID.
