Yes, you can!
The Evo Credential Provider (CredPro) supports operation with AzureAD on Windows 10,11, Server 2016,2019, and 2022. It is not supported on Server 2012 because that operating system does not support AzureAD.
There are exceptions to be aware of however!
Sometimes there is a disconnect between the domain names with AzureAD because someone already took a domain name or someone mis-entered for whatever reason. Consider a fictional “Acme” corporation. One mismatch would be external domain of acme.com and the AzureAD of acmecorp.onmicrosoft.com. The mismatch is that acme ≠ acmecorp. In the same matter, it could be external as acmecorp.com and the AzureAD be acme.onmicrosoft.com. Again, acmecorp ≠ acme so the internal pattern matching does not work. In that case there are two ways of resolving the problem with the CredPro.
Solution #1: Manually prepend AzureAD as the domain name
One resolution is that when the user enters their email address, they manually enter AzureAD as the domain name. For instance, they would enter AzureAD\evouser@acmecorp.onmicrosoft.com (or whatever their AzureAD email address is). The important part is the AzureAD\
part in front of the email address.
Solution #2: Modify the registry to treat all email addresses as AzureAD
Because the pattern doesn’t match, a registry setting can be made to enable all email addresses to be pre-pended with AzureAD domain name.
Registry key: HKEY_LOCAL_MACHINE\Software\EvoSecurity\EvoLogin-CP
Value name: aad_match_mode
Value: 2
The possible values for the aad_match_mode
value are: 0 = smart/default, 1 = exact, 2 = all emails, 3 = no matching
Normally, this value is not in the registry and the CredPro treats it as 0 (smart/default). What the settings mean:
- 0 - acme.com matches acme.onmicrosoft.com and acme.com
- 1 - acme.com only matches acme.com, acme.onmicrosoft.com only matches acme.onmicrosoft.com
- 2 - any email address will match as the AzureAD domain
- 3 - no email address will match as the AzureAD domain