Supporting mixed-mode and Microsoft Entra ID and On-Premises Active Directory (OPAD) scenarios

In previous releases of the MaaS360 platform (10.68 and earlier), MaaS360 only supported the following scenarios:

• Microsoft Entra ID authentication with Microsoft Entra ID visibility
• On-Premises Active Directory authentication with On-Premises Active Directory visibility

With the 10.69 platform release, MaaS360 supported Microsoft Entra Authentication and AD/LDAP Authentication mixed-mode setup. The following mixed-mode scenarios for Microsoft Entra ID and On-Premises AD (OPAD) were introduced in 10.69:

• Standalone: If a user configured only one authentication source, then MaaS360 authenticates with the configured authentication source.
  • Microsoft Entra ID authentication and visibility
    • If a user is available in the MaaS360 Portal, Microsoft Entra ID handles authentication.
    • If a user is not available in the MaaS360 Portal and Microsoft Entra authentication is configured, Microsoft Entra ID handles authentication and the user is created in the MaaS360 Portal.
  • On-Premises Active Directory (OPAD) authentication and visibility:
    • If a user is available in the MaaS360 Portal, On-Premises Active Directory (OPAD) handles authentication.
    • If a user is not available in the MaaS360 Portal and On-Premises authentication is configured, On-Premises Active Directory (OPAD) handles authentication, and the user is created in the MaaS360 Portal.
• Mixed-mode: If a user configured more than one authentication source, the following applies:
  • If a user record is available in the MaaS360 Portal and the user's authentication type is Microsoft Entra, MaaS360 uses the authentication type that is selected for authentication.
  • If a user record is not available in the MaaS360 Portal, MaaS360 uses Active Directory to authenticate if Microsoft Entra visibility is configured or Microsoft Entra ID if Active Directory visibility is configured.
    Note: If a customer has configured Active Directory authentication and tries to configure Microsoft Entra authentication with no configured visibility, MaaS360 displays a message recommending that the customer must configure at least one visibility.

The following additional criteria were required for mixed-mode support: Active Directory Federation Services (ADFS) must be publicly available and using a public certificate for MaaS360 to successfully communicate with ADFS.

The following scenarios and limitations are not supported for the 10.69 release:

• If a customer has configured more than one authentication source and has not configured visibility on any of the sources or has configured both types of visibility, MaaS360 fails the authentication request for users that are not available in MaaS360.
• If a new user is added in Active Directory (AD) who is configured for visibility, authentication does not work for the new user until or unless the user is uploaded to the MaaS360 Portal (after a successful data fetch).
• Using different domains for both Microsoft Entra and Active Directory (AD) is not supported.
• Visibility in both Microsoft Entra and Active Directory for the same customer is not supported.
• If a user receives a new domain after a device is migrated from an old domain, you might have to re-enroll the device if policies do not work on the device.

For the 10.72 release, the following mixed-mode scenarios are supported. The administrator can set the default authentication type setting in the Portal Settings page to support mixed-mode scenarios if a user uses both Active Directory (AD) and Microsoft Entra ID in their environment. The following default authentication types are available:

• None: No authentication source is used.
• Corporate (AD): Uses Active Directory (AD) as the primary authentication source.
• Corporate (Microsoft Entra ID): Uses Microsoft Entra ID as the primary authentication source.
• Both: Depending on where the user information is available, MaaS360 picks the appropriate authentication source.

The default authentication types function in this scenario as follows:

• None: Authentication fails.
• Corporate (AD): Authentication is successful for an Active Directory (AD) user, but fails for an Microsoft Entra ID user.
• Corporate (Microsoft Entra ID): Authentication is successful for an Microsoft Entra ID user, but fails for an Active Directory (AD) user.
• Both: Authentication is successful.

The default authentication types function in this scenario as follows:

• None: Authentication is successful.
• Corporate (AD): Authentication is successful for both an Active Directory (AD) user and an Microsoft Entra ID user.
• Corporate (Microsoft Entra ID): Authentication is successful for both an Microsoft Entra ID user and an Active Directory (AD) user.
• Both: Authentication is successful.

The default authentication types function in this scenario as follows:

• None: Authentication is successful for an Active Directory (AD) user, but fails for an Microsoft Entra ID user.
• Corporate (AD): Authentication is successful for an Active Directory (AD) user, but fails for an Microsoft Entra ID user.
• Corporate (Microsoft Entra ID): Authentication is successful for both an Microsoft Entra ID user and an Active Directory (AD) user.
• Both: Authentication is successful.