Supporting mixed-mode and Azure Active Directory (AAD) and On-Premises Active Directory (OPAD) scenarios

In previous releases of the MaaS360 platform (10.68 and earlier), MaaS360 only supported the following scenarios:

• Azure Active Directory authentication with Azure Active Directory visibility
• On-Premises Active Directory authentication with On-Premises Active Directory visibility

With the 10.69 platform release, MaaS360 supported Azure Authentication and AD/LDAP Authentication mixed-mode setup. The following mixed-mode scenarios for Azure AD (AAD) and On-Premises AD (OPAD) were introduced in 10.69:

• Standalone: If a user configured only one authentication source, then MaaS360 authenticates with the configured authentication source.
  • Azure Active Directory (AAD) authentication and visibility
    • If a user is available in the MaaS360 Portal, Azure Active Directory handles authentication.
    • If a user is not available in the MaaS360 Portal and Azure authentication is configured, Azure Active Directory (AAD) handles authentication and the user is created in the MaaS360 Portal.
  • On-Premises Active Directory (OPAD) authentication and visibility:
    • If a user is available in the MaaS360 Portal, On-Premises Active Directory (OPAD) handles authentication.
    • If a user is not available in the MaaS360 Portal and On-Premises authentication is configured, On-Premises Active Directory (OPAD) handles authentication and the user is created in the MaaS360 Portal.
• Mixed-mode: If a user configured more than one authentication source, the following applies:
  • If a user record is available in the MaaS360 Portal and the user's authentication type is Azure or Active Directory, MaaS360 uses the authentication type that is selected for authentication.
  • If a user record is not available in the MaaS360 Portal, MaaS360 uses Active Directory to authenticate if Azure visibility is configured or Azure Active Directory if Active Directory visibility is configured. Note: If a customer has configured Active Directory authentication and tries to configure Azure authentication with no configured visibility, MaaS360 displays a message recommending that the customer should configure at least one visibility.

The following additional criteria was required for mixed-mode support: Active Directory Federation Services (ADFS) must be publicly available and using a public certificate in order for MaaS360 to successfully communicate with ADFS.

The following scenarios and limitations are not supported for the 10.69 release:

• If a customer has configured more than one authentication source and has not configured visibility on any of the sources or has configured both types of visibility, MaaS360 fails the authentication request for users that are not available in MaaS360.
• If a new user is added in Active Directory (AD) who is configured for visibility, authentication does not work for the new user until or unless the user is uploaded to the MaaS360 Portal (after a successful data fetch).
• Using different domains for both Azure and Active Directory (AD) is not supported.
• Visibility in both Azure and Active Directory for the same customer is not supported.
• If a user receives a new domain after a device is migrated from an old domain, you might have to re-enroll the device if policies do not work on the device.

For the 10.72 release, the following mixed-mode scenarios are supported. The administrator can set the default authentication type setting in the Portal Settings page to support mixed-mode scenarios if a user uses both Active Directory (AD) and Azure Active Directory (AAD) in their environment. The following default authentication types are available:

• None: No authentication source is used.
• Corporate (AD): Uses Active Directory (AD) as the primary authentication source.
• Corporate (AzureAD): Uses Azure Active Directory (AAD) as the primary authentication source.
• Both: Depending on where the user information is available, MaaS360 picks the appropriate authentication source.

The default authentication types function in this scenario as follows:

• None: Authentication fails.
• Corporate (AD): Authentication is successful for an Active Directory (AD) user, but fails for an Azure Active Directory (AAD) user.
• Corporate (AzureAD): Authentication is successful for an Azure Active Directory (AAD) user, but fails for an Active Directory (AD) user.
• Both: Authentication is successful.

The default authentication types function in this scenario as follows:

• None: Authentication is successful.
• Corporate (AD): Authentication is successful for both an Active Directory (AD) user and an Azure Active Directory (AAD) user.
• Corporate (AzureAD): Authentication is successful for both an Azure Active Directory (AAD) user and an Active Directory (AD) user.
• Both: Authentication is successful.

Note: You must have user visibility enabled for either Active Directory (AD) or Azure Active Directory (AAD).

The default authentication types function in this scenario as follows:

• None: Authentication is successful for an Active Directory (AD) user, but fails for an Azure Active Directory (AAD) user.
• Corporate (AD): Authentication is successful for an Active Directory (AD) user, but fails for an Azure Active Directory (AAD) user.
• Corporate (AzureAD): Authentication is successful for both an Azure Active Directory (AAD) user and an Active Directory (AD) user.
• Both: Authentication is successful.