Azure AD SSO and PH unlocking clarifications

Hi there,

I need some clarifications about SSO login and unlocking features.

General SSO
We set up Azure AD SSO with success and synced groups too. We have one Devolutions standard account already in place with the same username (e-mail) of the Microsoft one; now, this user can log to Devolutions Portal and PH with his Microsoft credentials and Devolutions too: is it right? To avoid this, I think we need to use this PH setting:



But, what will happen for our admin Devolutions/PH accounts with no SSO logins? We will be cuttet off from our PH? If yes, how can we get access back?

Recovery 2nd factor method prompt?
What's the meaning of this prompt? Is it due to using password unlocking method instead of Workspace app?



Unlock step
We red KBs but we are not sure about this feature. Is "unlocking" related to PH instead of general Devolutions accounts? Why we need to unlock PH if the login is don through a SSO with MFA? Is unlocking bound to devices only for a specific account, so you only need to unlock new devices?

User auto-logoff
We really want that our PH users need to login back after few mins of inactivity, so we set up this setting in PH:

Our user (with both Devolutions and Microsoft account on the same username) is logging with Microsoft and after 5 mins is logged off; if he try to log back, he need to pass the Microsoft MFA again! As we understood by KBs, this is not correct as he should find his account cached inside the browser session (not closed) asking for Microsoft password only. Is it right? It's terribly tedious.

What's the meaning of "Block Tor traffic"? Is for blocking users to log to PH by the mean of a Tor connection?

Force prompt login
What's the meaning of "Force prompt login"? And how can be related to SSO?


Many thanks.