Idea ID: 2870869

DRA web client: Need way to distinguish between Azure account "sign-in blocked" vs. on-premise account disabled

Status : Under Consideration

This is partially implemented in DRA 10.2 upcoming release however there is a need for clarification to understand more bout the authoritative domain. I will set up the call with you.

See status update history

After discussion with support: It appears that DRA displays the "account disabled" icon for an account if EITHER the Azure account has sign-in block OR the on-premise AD account is disabled. This causes a confusing UX for our users in the following scenario:

1. Account is disabled on-premise and Azure account has sign-in blocked

2. DRA admin enables the account using DRA

In this case the account still shows as disabled (because Azure sign-in is still blocked and has not synced yet).

After Azure directory sync with the on-premise domain completes and DRA completes IACR with Azure tenant, THEN DRA shows correctly that the account is enabled again.

This is very confusing for our users because they enable an account and it (confusingly) still shows as disabled.

There is perhaps more than one solution for this issue: e.g.:

1. Use a different icon to indicate if Azure sign-in is blocked vs. on-premise AD account is disabled?

2. Perhaps allow customer to specify which domain is authoritative (on-premise or Azure AD) and update the icon status based on the authoritative domain?

The current UX, while logical, is very confusing for hybrid cloud users where the on-premise domain is authoritative.


Azure AD
Web Client