On June 27, 2020, Nerdio Admin Portal (NAP) rolled out Microsoft's Secure Application Model (SAM) framework for making secure, scalable API calls to Azure and Office 365. Among other things, the Secure Application Model requires applications such as NAP to use Service Principals for API integration.
When a new NFA account is now created, during the provisioning process:
- The user provisioning the NFA account grants Nerdio app access to Azure and O365.
- NAP creates one GA user: AdminPortalO365AdminNNNN.
- NAP creates Service Principals.
NAP will use the Service Principals to make API calls & run Powershell commands. You no longer need to whitelist Nerdio IP addresses during account provisioning.
Users will be required to complete a new step post-provisioning. Users will be presented with an EXO connection process on Home page after account is provisioned (see screenshots).
There are no other UI changes in NAP. User flow remains the same otherwise.
Impact on existing NFA accounts
If you have a NFA account that you provisioned prior to June 27th -
1. If you enable MFA on NerdioAzureAdmin user, then Desktop auto-scale will stop working (if you are using DAS). You will need to disable and re-enable desktop autoscale in order for it work after MFA is enabled on NerdioAzureAdmin.
2. If you enable MFA on NerdioO365Admin user, and if NerdioO365Admin user was used to restore token some time in the past, O365 token in NAP DB will become invalid. You should go through OAuth token restore process for O365 to get account working again. Without it, update AD cache task will fail.
3.You will see a message asking you to complete the EXO setup by entering a code:
This is optional, but completing this step will make account compatible with Modern Authentication for EXO. Note that EXO will continue running with password credential of NerdioO365Admin for existing accounts, until you complete setup for Modern Authentication.