In Orchestrator after migrating to AAD Azure Active Directory, why is it not possible to login? How to migrate users from AD to AAD (active Directory to Azure Active Directory)?
AD to AAD migration is not present due to many reasons. This feature does not exist, that means that an AAD login and an AD login will essentially use 2 different sets of users.
There is auto-provisioning for AAD and AD also, based on groups. So what would happen in both cases is:
- User would log into the external IDP (AD or AAD) and will return with an external identity and groups mapped to it
- When the AD user was created it can inherit permissions based on groups and will be auto-provisioned if at least one of those groups has access to Orchestrator
- Cross "pollination" does not exist. So an AD user logged in will get groups from AD, an AAD user logged in will get groups from AAD.
- As a result the existing user in AD cannot log in with AAD.
- What does not happen currently is the AAD user is not auto-provisioned - this is why there are 2 users in ASPNetUsers but only one in Orchestrator because there are no AAD groups added to Orchestrator.
To fix this is to replicate the AD groups to AAD groups and import the AAD groups instead of the AD ones. This means replicating groups, permissions across folders (and others) in order for this to work.
To test it just import one AAD Group of one of the "broken users" and grant it Orchestrator web access. The AAD login will succeed and the user will be auto-provisioned.
All the AD users have to have username@domain as username, and normalizedusername in both Identity and Orchestrator tables ('aspnetusers', and 'dbo.users')
If this is occurring on an environment that was migrated, or the URL has changed, a modification in the table 'userlogins' is also necessary:
SET [LoginProvider] = 'https://NEWURL/identity'
WHERE [LoginProvider] = 'https://OLDURL/identity'