The settings available under Enrollment Tab are advanced configuration options of ADSelfService Plus during and after User Enrollment.
Force Users to Enroll
This feature allows an administrator to make enrollment mandatory for End-users. In other words, whenever a non-enrolled user logs into ADSelfService Plus. A message which 'prompts the user to enroll' will be displayed.
Once the user enrolls himself with ADSelfService Plus, he would be granted with the rights to access other features of this application.
Hide "Enrollment" tab from end-users page once they enrolled
This feature will prevent users from modifying the security questions. Prominently used in a scenario where an administrator "Auto Enrolls" users with pre-configured security Question and Answers. He denies users the privileges to change Security Question and Answers.
Reorder the identity verification steps and make them mandatory
This feature allows administrators to select which of the multi-factor authentication options will be enforced, and change the order in which they are employed during the reset password/unlock account process. Once selected, the users will be forced to prove their identity via all the selected authentication options and also in the same order as set by the admin.
However, if the user has previously enrolled for only some of the authentication options that are being enforced, he/she will still be able to reset password/unlock account. Also, if none of the multi-factor authentication options are made mandatory, the user will be allowed to prove his identity via an authentication option that he/she chooses.
In the Verification Code tab, you can specify the AD attribute that can be used to get the mobile number or the email address of the user.
Navigate to Configuration tab → Self-Service → Multi-factor Authentication → Advanced button → Verification Code tab.
Select the desired Domain from the drop-down list.
Select the required AD attribute from the drop-down list.
Check the Enable secondary mail and mobile data enrollment checkbox to enable enrollment via secondary mail and mobile data.
Click the Force users to specify alternate email address checkbox to force users to specify a secondary email address during enrollment.
Click Force users to specify alternate mobile number checkbox to force users to specify a secondary mobile number during enrollment.
Allow users to enter mobile numbers in multiple formats by specifying the allowed formats in the Force users to add mobile number in format field separated by commas. For example, you could enter two different mobile number formats in the field as: XXX XXX XXX, XXX XXXX XXX.
Under the 'Q & A Settings' tab, you can configure the display settings of the 'Security Q & A' feature, which serves for the purpose of 'User Authentication'.
The Q & A Settings tab has two sections
From the "Question Settings" section you can define the number of questions displayed to the End-User. And also the format in which the questions are to be displayed.
Options available under the 'Question Settings' are listed below:
An administrator can select any of these options based on the level of security or convenience that he likes to provide his users.
With this option, you can define the number of questions to be displayed to the End-User. The questions will be randomly selected by the application from the 'available list of security questions' configured under Security Question and Answer Settings.
Display _ AD Securtity Questions Out Of (Available list of AD Security Questions) at random
Select this option to specify the number of questions to be asked during the identity verification process.
The settings you configure in the Question Settings section and Answer Settings section are common for two methods of MFA: Security Question and Answer and AD Security Questions.
Checking this option will display the security questions one by one (ie., one question per page).
Selecting this option will display all the security questions on a single page.
Display of Security Questions One by One or All in a Single Page is based on
An administrator can select any of these 'Answer Settings' options based on the level of security or convenience that he likes to provide his users.
Under the 'Answer Settings' option, you are provided with the following 'Self-Explanatory' settings.
Prevent an User From Providing The Same Answer To Multiple Questions.
Prevent an User From Using any Word of a Question in his Answers.
Verify whether the Security Question (s) are Case Sensitive.
Other Settings for Securing the User-Account:
In addition to various "Answer Settings" features, ADSelfService Plus also provides other settings that aid in securing an User account by not letting the security answers be compromised.
When an administrator checks this option, the answers provided by End-Users to validate Security Questions at Enrollment are stored in the product database using a Reversible Encryption. This information can be viewed as a report "Security Questions and Answers Report".
When an administrator checks this option, Answers to Security Questions are hidden to the End-users when they use the application to attempt a Password Reset / Account Unlock operation.