Forcing SSO prevents creation of new Admins
We are a new customer with 1100 licenses and are experiencing issues with creating new Admins.
Together with Xink support, we have discovered that when enabling "Force SSO" (which is required by our corporate policy), it's no longer possible to create new Admin users.
The issue happens because you have to create a password for a new admin, and that admin has to login with that password the first time in order to link their account with Azure AD. And they are of course not able to login with a password when "Force SSO" is enabled.
The implementation of SSO is not very well thought through. When "Force SSO" is enabled, a new Admin creation should not require filling out a password, but simply use the e-mail address to automatically map the user to the claim from Azure when using SSO, which would usually be the UserPrincipalName.
That would also remove the need for linking an account to Azure AD as it would always automatically map the e-mail field.
Most other cloud solutions have a much better SSO implementation using SAML against Azure AD where this works seamlessly. The Azure Admin can then change what to send as the UniqueID claim in Azure AD, if for example the E-mail address should be used instead of the UserPrincipalName.
Please improve the SSO logic so it's possible to create new Admin's without disabling "Force SSO" and without requiring to create a password for the user.
The need for each admin user to link their Azure AD account also makes the onboarding of Marketing personel for campaigns very difficult/not user friendly.
It the above method is implemented instead, then an Admin can just create their account and send them the link to the portal, and they will automatically be logged in with SSO without needing to be sent a password, or link an account.
It would be good if we could provision admin accounts from Azure AD security groups and enable SSO
Agreed - and it would be fairly easy to implement using SAML and SCIM