Identity & server access
Use this page when you need to log into a server or reach an internal admin UI, or when you need to understand how SSO/MFA works across LEF systems.
For server details (OS, IPs, and what runs where), see Servers.
If you’re starting from a service URL/hostname, use Services and then open the relevant service page.
Identity & SSO (Entra)
Section titled “Identity & SSO (Entra)”Microsoft Entra ID is LEF’s primary identity provider. When a system supports SSO, we prefer integrating it with Entra so access and MFA are centrally managed.
Entra is also the identity backbone for Microsoft 365 (see Microsoft 365).
What Entra is used for
Section titled “What Entra is used for”- SSO for internal services and SaaS tools (when supported).
- MFA enforcement via Conditional Access (where applicable).
- Access management via app assignments and groups.
How access is granted (high level)
Section titled “How access is granted (high level)”- The user exists in Entra (synced or cloud-only).
- The user is assigned to an app (directly or via group).
- Conditional Access applies (MFA, device requirements, etc).
Requests and approvals should follow the Access control policy.
Directory sync (AD → Entra)
Section titled “Directory sync (AD → Entra)”Some identities are synchronized from Active Directory (core.lef) into Entra using Entra Connect. This matters for Microsoft 365 sign-in and for SSO patterns that rely on synced identities.
See Entra Connect (AD sync) for scope, OU filters, and UPN suffix rules.
Password policy (AD)
Section titled “Password policy (AD)”Password rules for the core.lef domain are maintained on the domain controller. See Domain controller (Active Directory).
Troubleshooting quick checks
Section titled “Troubleshooting quick checks”| Symptom | Check |
|---|---|
| “SSO option missing” | Is the app integrated with Entra? Is the user assigned to it? |
| MFA loop / denied | Conditional Access policy, user location, and sign-in logs. |
| Can’t sign in to Microsoft 365 | UPN suffix is not a verified domain (see Entra Connect page). |
| Access removed unexpectedly | Group membership changes; follow access control policy. |
Prerequisites
Section titled “Prerequisites”- Your access is approved (see Access control policy).
- You are connected to the VPN (see VPN access) or on the private network.
- SSO and MFA (when supported) go through Entra.
- Credentials live in Vault: https://vault.lef.digital/
Where to find URLs
Section titled “Where to find URLs”- Access portals (VPN, EVEO portal, Vault): see Access.
- Service/admin URLs (DNS, S3, Kanban, Workflow, etc): see Services.
Servers (login targets)
Section titled “Servers (login targets)”See the Servers overview for the canonical list of login targets and service accounts by host group.
If you see older documentation referencing short hostnames like tools.lef, proxy.lef, or tokio.lef, use the canonical *.core.lef hostnames in Servers.
Perimeter ingress and VPN access are provider-managed. See Firewall & public ingress.
Access patterns
Section titled “Access patterns”Linux servers (SSH)
Section titled “Linux servers (SSH)”- Use SSH:
ssh <user>@<login-target> - Prefer personal accounts; use privileged accounts only when required and approved.
- Prefer DNS hostnames in configs; IPs are for troubleshooting.
Windows server (RDP)
Section titled “Windows server (RDP)”- Use Remote Desktop to
rds.core.lef(VPN/LAN required). - Certificate binding guidance: see Remote Desktop SSL.
Known risks / failure modes
Section titled “Known risks / failure modes”- Not on VPN → internal DNS and services are unreachable.
- Public hostname resolves to public IP from inside LAN → use split-horizon DNS (see DNS split horizon).
- Wrong account or missing rights → follow the access control policy and request the right role/group.
- Local/shared accounts outside Entra become “invisible” to access reviews; avoid them unless required.
- Duplicating credentials across systems increases offboarding risk; prefer SSO.