Multi-factor Authentication:

ADSelfService Plus offers advanced authentication techniques to verify users’ identities when they:

  1. Reset passwords or unlock accounts.
  2. AD-MFA

  3. Log in to their Windows, macOS, or Linux workstations.
  4. Endpont-MFA

  5. Log in to the ADSelfService Plus end-user portal.
  6. Adssp-TFA

    Important: Users must enroll themselves with the enforced authentication techniques before they can prove their identity by using them. Learn more about enrollment.

Supported authentication methods:

How to enable the required authentication methods for a specific set of users

  1. Go to the Configuration tab. In the Self-Service section, choose a policy of your choice, and click the Edit icon. You can also create a new policy by clicking the Add New Policy button.

    Available-Policies

  2. Click Select OUs/Groups at the bottom right of the webpage, and select the specific set of users to whom you wish to enable identity verification. Click OK
    Tip: Select the Don't inherit child OU(s) option to only select the parent OUs.

    Select-OU-GROUP

  3. Select the password self-service features (Reset Password, Unlock Account, Self Update, or Change Password) that you wish to enable for the selected users. Click Save Policy.

    Save-Policies

  4. Go to the Authenticator Setup tab and configure the authentication methods that you want to enable for the selected policy. 

    Authenticator-Setup

  5. Click Save Settings
    Tip: Enforce authenticators based on user privileges: You can choose to configure different authentication methods for different sets of policies. For instance, if Policy 1 enforces YubiKey, Policy 2 can enforce one-time passcodes, and so on.

How to force users to enroll in specific authentication methods

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings.
  2. Choose the Policy from dropdown.
    Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. In the Enrollment Settings, select Enforce these authenticators during enrollment and choose the authenticators to be set as mandatory.
  4. MFA/TFA SETTINGS

  5. You can also choose to hide the Enrollment tab in the end-user portal for enrolled users
  6. Click Save Settings.

How to enforce MFA for self-service password reset/account unlock

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings.
  2. Choose the Policy from dropdown.
    Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select the authentication techniques to be used.
  4. Click Save Settings.

    AD-MFA

How to enforce MFA for Windows/macOS/Linux machines

Prerequisite:

Steps to enforce MFA for Windows/macOS/Linux machines:

  1. Go to Configuration → Self-Service → Multi-factor Authentication →  MFA/TFA Settings.
  2. Choose the Policy from dropdown.

    Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

  3. In the Endpoint MFA section, select the second authentication factor from the drop-down.
  4. Enable the Bypass TFA if ADSelfService Plus is down option.
  5. Click Save Settings.

    Endpont-MFA

How to enforce MFA for ADSelfService Plus logins

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings.
  2. Choose the Policy from dropdown.
    Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. In the TFA for ADSelfService Plus login section, select the authenticators to be enforced from the drop-down.
  4. Select Disable TFA for SSO-enabled enterprise applications to avoid TFA during SSO Login for any enterprise applications.
  5. Click Save Settings.

    ADSSP-TFA

Copyright © 2020, ZOHO Corp. All Rights Reserved.