Authentication

For its integration with Microsoft 365, Cloud Drive Mapper (CDM) uses the Microsoft Authentication Library (MSAL). MSAL enables CDM to benefit from its compatibility with Microsoft Entra ID and other features, including single sign-on, multifactor authentication (MFA), and conditional access.

When you sign in to CDM, it will attempt to authenticate in the following order:

1. It attempts to use an existing valid authentication token.

2. If it cannot use an existing valid authentication token, CDM attempts a non-interactive authentication flow by utilizing Single Sign-On (SSO), also known as “silent” token acquisition.

3. In case of an unsuccessful non-interactive authentication flow, which can be the case when SSO is not enabled, or you’ve got certain Conditional Access policies configured for your Microsoft 365 tenancy, CDM falls back to interactive token acquisition, requiring you to re-authenticate.

By default, CDM will silently attempt to acquire a token using interactive authentication within 25 seconds. This especially applies to protocols such as Integrated Windows Authentication (IWA) and some other third-party identity providers. If the token acquisition doesn’t occur within 25 seconds, CDM will fall back to asking you to enter your password or perform MFA.

You can configure this threshold to suit your needs by changing the Authentication timeout setting on the Providers page in Iris. If the majority of your users do not use the logic within the fallback, we recommend setting the threshold as low as possible to avoid waiting longer for the fallback to kick in. The threshold can’t be more than 120 seconds. CDM will also fall back to interactive authentication if the user needs to fill out any questions or additional information you may have configured during authentication.

CDM also supports the Microsoft 365 Multi-Geo feature. This feature enables organizations to manage data residency requirements by allowing a single Microsoft 365 tenant to span across multiple geographic locations. For more information about this feature, please refer to Learn.microsoft.com.

Single Sign-On

You can integrate CDM with SSO solutions from most major providers, including (but not limited to):

• Microsoft

• Okta

• OneLogin

• PingID

• VMware

If you’re using Microsoft Entra Connect as your identity provider, follow the steps below to verify if SSO is enabled for your Microsoft 365 tenancy. For third-party identity providers, please refer to the respective documentation.

1. Press Windows + S on your keyboard to open the search box.

2. Type cmd in the search box, right-click the Command Prompt tile, and select Run as administrator from the shortcut menu. The User Account Control dialog box appears.

3. Click Yes to launch the Command Prompt console.

4. Type dsregcmd /status, then press Enter.

5. Scroll down until you see the SSO State section. If AzureAdPrt is set to YES, SSO is enabled for your Microsoft 365 tenancy.

When AzureAdPrt is set to NO, SSO is not enabled for your Microsoft 365 tenancy.

When SSO is not enabled, you must manually authenticate with your Microsoft 365 account. After that, subsequent CDM login attempts should be seamless for up to 90 days as your computer locally caches your authentication token. However, this duration can be influenced by conditional access policies applied by your organization, for instance, via Sign-in frequency settings for periodic authentication.

If you are using virtual applications in your Virtual Desktop Infrastructure (VDI), you must have an SSO solution enabled and ensure that MFA is not required. You will never see any CDM-controlled authentication window with virtual applications, including MSAL authentication. If SSO is enabled and functional, your CDM drives will appear within the application.

Microsoft Entra ID configuration options

We have a few settings specific to Microsoft Entra ID that provide broader support for different environments. These include the following:

Azure environment

Suppose you are not using a public Azure data center. In that case, you can change the location of the data center applicable to your Microsoft 365 tenancy from the Azure environment dropdown list on the Providers page in Iris. The available options include the following:

• Public (public cloud)

• Germany (Germany cloud)

• US Gov (US Government cloud)

• China (China cloud)

Azure application ID override

We also support your ability to use another application as your authentication provider (instead of CDM). While we strongly recommend using the already verified Cloud Drive Mapper Azure application, we understand that you may want to configure your own application to handle the permissions and scopes within Microsoft Entra ID. You can specify the ID of your application in the Azure application ID override box on the Providers page in Iris.

Email detection

When you use Microsoft Entra Connect or Active Directory Federation Services (ADFS) and your user accounts are synced from an on-premises environment with Microsoft Entra ID, CDM will try to authenticate with the userprincipalname attribute by default. Occasionally, within a .local domain setup, the userprincipalname attribute differs from the mail attribute. If you have set up Microsoft Entra Connect or ADFS within a .local domain, change the ADAttribute from userprincipalname to mail. You can do this from the Providers page in Iris.

Workplace Join lets you connect your computer to Microsoft Entra ID. When a device is connected via Workplace Join, CDM uses the first email address from the Connected Organizations list on the Access work or school page in Windows settings.

CDM includes a pre-configured username discovery method. In the case of Microsoft Entra domain-joined computers, CDM will always authenticate the user signed in to the computer. We understand that this may not be the desired outcome. You can bypass this configuration by disabling the Azure AD single sign on toggle from the Providers page in Iris.