Private Key Storage and Password Management with MS SSO

Hello,

It's not possible for administrators to change how their users' private key is stored. Users themselves can change that in the Devolutions user portal under "Sign-In & Security" -> "Private Key Storage".
https://portal.devolutions.com/security/private-key

Administrators also cannot force change a user's private key password. If a user forgets a password, the user can start the "Forgot password or lost phone" flow from the login page. Once the flow is completed, the administrator has to re-invite him into the Hub. (Administration -> Users -> Find the user -> In the action column, there's a re-invite button.) The re-invite actually simply re-binds the user's private key to your Hub key. That way, the user can decrypt your Hub's data again.

If all this seems too complex for your setup, we also offer the encryption service, which is self-hosted (on prem or in your own cloud). This service actually provides the encryption key so that users don't even have to set up a private key storage method. They simply login via the SSO provider and they are redirected to the service so that the key can be injected and then forwarded to your Hub. https://docs.devolutions.net/hub/web-interface/administration/configuration-security/authentication/encryption-service/

Have a good day!