AD Security Questions


Enabling this MFA technique allows you to set up AD-based security questions as the multi-factor authentication criteria and verify answers from the attribute value available in AD.


For example, assume that you have set ‘What is your social security number?’as an AD-based security question, and linked a custom based attribute of the user as the answer. Now when a user attempts a password reset, they are required to enter the correct answer (i.e., user's social security number). If the answer entered by the user matches the value of the original AD attribute (i.e., the value of the custom attribute), the user is successfully authenticated.


As this MFA technique utilizes the users' AD attributes, they need not enroll with ADSelfService Plus separately. This is a definite plus for admins who will be free from the burden of ensuring that every user has completed the enrollment process.

Make sure that the AD attributes mapped to the security questions are not readable through a LDAP browser or other tools.


Configuration steps:

  1. Log in to the ADSelfService Plus web console with admin credentials.

  2. Navigate to Configuration tab → Multi-factor Authentication section → AD Security Questions.

  3. Select the Enable AD Security Questions checkbox.

  4. Click the Add Question button to add a new question. 

    Enable AD Security Questions

  5. Assign a value to the AD security question by selecting an attribute from the Verify With drop-down.

  6. Click Save Settings.

  • Click the asterisk symbol [*] to make the AD security question mandatory. 

  • When AD Security Questions method of authentication is enabled, the users need not enroll separately with ADSelfService Plus.

  • If you’ve mapped a multi-valued attribute (say, otherMobile)  to a security question, any value of that attribute is considered as a valid answer.

Copyright © 2020, ZOHO Corp. All Rights Reserved.