AdminOnDemand 2.5 - Release Notes

Product released June 12, 2024 - Document updated June 13, 2024

Azure AD multi-tenant support

We have encountered scenarios where the Azure user entity resided on one Azure tenant and the group membership was resolved on another Azure tenant.

We have also encountered scenarios where the user entity wasn’t allowed to resolve group membership from an Azure tenant.

In both scenarios, the user was denied elevation of privileges.

To rectify the encountered issues, we have adjusted the way that AdminOnDemand validates group membership in Azure AD.

The user login is (still) performed directly against Azure AD.

The group membership is resolved by querying the CapaOne API.

To allow the Azure AD integration from CapaOne to synchronize the necessary group information, please verify that you have configured the API permission GroupMember.Read.All as shown below

Run as different user functionality

Several of our customers have requested an option to empower their IT-employees to elevate their privileges on endpoints, without knowing end-user credentials.

Because session elevation with Azure AD validation always prompts for user credentials, when Azure AD is reachable, it’s now possible.

Azure AD group membership is cached for 15 minutes on endpoints, to minimize wait times for the end-user and avoid unnecessary load on the CapaOne API. This means that it can take up to 15 minutes for changes in Azure AD group membership to take effect.

If your endpoints are hybrid-joined, we strongly recommend using on-prem AD groups for validation!