Considerations and Limitations of Azure Single Sign-On
Review this section to understand the limitations and considerations of implementing SSO via Azure AD.
Azure AD Versus Other Identity Providers
Deltek has selected Azure AD as it is the most common identity provider for both on-premises and cloud PIM clients. If you use a different active directory or identity provider, please let us know via the PIM Ideas Portal so that we can consider providing alternative options in future releases.
Multi-factor Authentication
Azure AD allows for multi-factor authentication (MFA) to be configured on the main domain logon event, including PIM's new Azure AD logon method. This can provide a more uniform approach for implementing MFA than the standalone 2FA system in PIM. If you have implemented 2FA on your PIM system, you can keep this in place for users that do not log on using Azure SSO. Note that 2FA is bypassed when users log into PIM via Azure SSO.
Mobile Apps
PIM mobile apps have not yet been developed to support Azure AD single sign-on. Users of PIM mobile apps, including the PIM Mobile Working and PIM Mobile Time and Expenses apps, will continue to use their existing trusted or partner logon credentials to access the apps. These credentials should not be removed once SSO usernames have been issued.
User Logon / License Administration
As of PIM 22.0, the PIM Users and Licenses page has been updated to group the different types of licensed users on distinct tabs. Users that benefit from the traditional Trusted license type, previously defined by their NT username credentials, are now referenced as full licensed users. They may additionally be configured to use either SSO or partner logon credentials, and the license draw-down is now solely based on the license type selected for each user on the user's logon configuration details page (Admin > System Security > Security > Users and Licenses > Edit page for a user).
You can now clearly identify which users are using the respective PIM license types, and you can add to the appropriate group using each tab's Add New User function.
Single Versus Multi-Tenant Azure AD Configuration
Currently, PIM only supports single tenant app registration. This means that only users from your internal Azure Active Directory may use the PIM Azure AD identity provider logon method. To provide guests with access, you can add them to your Azure AD to allow external partners to logon using SSO. However, this is not recommended. Instead, you are advised to use the standard partner license and logon method.