Login

u/Prancing__Moose

r/PowerPlatform r/entra r/activedirectory
▲ 2 r/activedirectory+1 crossposts

Pass-through authentication failing with some DCs offline

We’re taking our HQ building offline at the end of the week for a full switch infrastructure refresh - so all users will be remotely working.

In readiness this evening we tested that users would still be able to sign-in to Office365 and all cloud services inc. those with SSO to Entra. To simulate our HQ building being offline we took down both DCs at this site, leaving our Azure VM DC up and a DC at our branch office location up.

Unfortunately things didn’t go as expected…users couldn’t pass-through authenticate.

We’ve got an Entra Connect with PTA instance in Azure (active), and a second instance at our HQ in staging mode. The only time we could get PTA to work was when we also switched OFF the Entra Connect instance at our HQ…just leaving the Azure DC and Azure Entra Connect.

Entra wants multiple Entra Connect and PTA agents - but it seems like they become a problem if they are up with no local DCs.

Any ideas? Experience of Entra Connect in a failure scenario? Should it be seamless?
I’m wondering if maybe a DNS configuration issue on the HQ Entra Connect instance - does it need the DNS address of the non-HQ DCs?

reddit.com
u/Prancing__Moose — 9 days ago
▲ 4 r/PowerPlatform

Security Power Platform developer accounts

So…we’ve had the same Power Platform developer in post for a very long time, and they’ve just retired. Most of their work was done in a dedicated account for Power Apps, Power Automate, etc. so when they left it just carried on. However early stuff was in their own account - which obviously then broke when their account was off boarded…which gave the new hire some tasks for their first couple of weeks 🤣

But with my Cyber Security hat on the “shared” account for all Power Apps, connectors, flows, etc. also has me worried…shared creds = bad.

So I’m wondering what is the done thing in Power Platform world so Apps don’t break if the developer account is disabled/deleted/password changed. But also better security than just a shared account logged in via their In Private browser mode.

Also interested if the same applies for PowerBI and the account which owns the refreshes of the semantic models?

reddit.com
u/Prancing__Moose — 1 month ago