Secure Application Model Framework in NAP

On June 27, 2020, Nerdio Admin Portal (NAP) rolled out Microsoft's Secure Application Model (SAM) framework for making secure, scalable API calls to Azure and Microsoft 365. Among other things, the Secure Application Model requires applications such as NAP to use Service Principals for API integration.

Impact to New NFA Accounts

Impact to Existing NFA Accounts

Impact to New NFA Accounts

When a new NFA account is now created, during the provisioning process:

  1. The user provisioning the NFA account grants Nerdio app access to Azure and M365.
  2. NAP creates one GA user: AdminPortalM365AdminNNNN.
  3. NAP creates Service Principals.

NAP will use the Service Principals to make API calls & run Powershell commands. You no longer need to whitelist Nerdio IP addresses during account provisioning.

Users will be required to complete a new step post-provisioning. Users will be presented with an EXO connection process on the "Home" page after the account is provisioned (see screenshots).

imageone.jpg

imagetwo.jpg

There are no other UI changes in NAP. User flow remains the same otherwise.

Note: If EXO setup is not complete, partner will receive an email in the following format:

EXO_token_expiration_email.png

Impact to Existing NFA accounts

If you have an NFA account that  you provisioned prior to June 27th -

1. If you enable MFA on NerdioAzureAdmin user, then Desktop auto-scale will stop working (if you are using DAS). You will need to disable and re-enable desktop autoscale in order for it work after MFA is enabled on NerdioAzureAdmin.

2. If you enable MFA on NerdioM365Admin user, and if NerdioM365Admin user was used to restore token sometime in the past, M365 token in NAP DB will become invalid. You should go through OAuth token restore process for M365 to get the account working again. Without it, update AD cache task will fail.

3.You will see a message asking you to complete the EXO setup by entering a code:
mceclip0.png
This is optional, but completing this step will make the account compatible with Modern Authentication for EXO. Note that EXO will continue running with password credential of NerdioM365Admin for existing accounts, until you complete setup for Modern Authentication.

Note: If EXO setup is not complete, partner will receive an email in the following format:

EXO_token_expiration_email__5009.png

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.