Zoho OneAuth TOTP

    Zoho OneAuth TOTP allows users to prove their identity by entering a time-based one-time passcode (TOTP) generated by the Zoho OneAuth app. When this authenticator is enabled, users open the Zoho OneAuth app on their enrolled device, retrieve the current TOTP for ADSelfService Plus, and enter it to complete authentication.

    How it works

    When a user reaches the Zoho OneAuth TOTP step, ADSelfService Plus prompts them to enter the TOTP displayed in their Zoho OneAuth app. The code is time-sensitive and refreshes at regular intervals. ADSelfService Plus validates the entered code and, if correct, authenticates the user. Users must enroll by linking their Zoho OneAuth app to their ADSelfService Plus account before they can use this authenticator.

    Prerequisites

    • You must have administrator access to the ADSelfService Plus portal.
    • At least one self-service policy must be configured before enabling this authenticator.
    • Users must have the Zoho OneAuth app installed on their device and must complete enrollment before they can authenticate using this method.

    Configuration instructions

    The navigation path to the Multi-factor Authentication page differs slightly between AD and Entra ID deployments.

    • Active Directory: Go to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    • Entra ID: Select Microsoft Entra ID from the directory drop-down at the top-left, then go to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.

    Then:

    • From the Choose the Policy drop-down, select the policy you want to configure.
    • Click the Zoho OneAuth TOTP section to expand it.
    • Select a Username Pattern — this determines how ADSelfService Plus matches the authenticated user to their Zoho OneAuth account.
    • Click Save.
    Zoho OneAuth TOTP Authentication

    Tips

    The Username Pattern setting determines how the user's identity is matched to their Zoho OneAuth account. Select the pattern that corresponds to how your users' accounts are identified in Zoho OneAuth — a mismatch between the pattern and the actual account identifier will cause authentication to fail even when the TOTP itself is correct.

    Because Zoho OneAuth TOTP requires enrollment, inform users in advance and give them time to install the Zoho OneAuth app and link it to their ADSelfService Plus account before the authenticator is enforced in their policy. Use the MFA Enrollment tab (Entra ID) or the Enrolled Users Report (AD) to track enrollment progress.

    If users switch devices, they will need to re-enroll their Zoho OneAuth app. Consider pairing this authenticator with a fallback method such as Email Verification to ensure users are not locked out during a device transition.