How do I enroll in ADSelfService Plus?
ManageEngine ADSelfService Plus requires you to enroll for the MFA verification methods configured by your administrator. ADSelfService Plus authenticates your identity using the information you provide during the enrollment process. Enrollment is mandatory for:
- MFA logins for machine, VPN, OWA, and enterprise applications, if the feature has been configured for these endpoints by the administrator
- Offline MFA during local and remote Windows and macOS logins, and UAC prompts, if your administrator has configured these features. Click here to learn more about enrollment for offline MFA
- Self-service password resets and account unlocks using ADSelfService Plus
MFA authenticators in ADSelfService Plus
- Security Questions and Answers
You must answer a predefined set of personal questions, such as "What is your favorite color?" These questions can be configured by you or administrators. You can enroll by either defining custom questions and answers, or by providing answers to administrator-defined questions.
You will need to provide the correct answer to these questions during identity verification. Click here for the enrollment steps
- Email Verification
An OTP will be sent to your email address. You must enter this OTP to confirm your identity. Administrators have the option to use the email address from your Active Directory profile or allow you to provide a different email address during enrollment. Click here for the enrollment steps.
- SMS Verification
You will have to enter an OTP sent to your mobile device to verify your identity. Administrators can either select the mobile number from your Active Directory profiles or allow you to provide a different number during the enrollment process. Click here for the enrollment steps.
- Google Authenticator
Google Authenticator is an app that utilizes TOTP codes for authentication. To enroll for this authenticator, you need to use the Google Authenticator app to scan the QR code shown under the Enrollment section in the ADSelfService end-user portal. Click here for the enrollment steps.
- Microsoft Authenticator
The Microsoft Authenticator app generates a TOTP that you will have to enter to authenticate yourself. For enrollment, you have to install the Microsoft Authenticator app and configure it with ADSelfService Plus. Click here for the enrollment steps.
- Microsoft Entra ID MFA
If your organization already has Microsoft Entra ID MFA enabled, admins can use the existing configuration to let you authenticate through the pre-enrolled authentication methods in Microsoft Entra ID. Supported methods include:
- Microsoft Authenticator app-based push notifications.
- Microsoft Authenticator app-based verification codes.
- Phone call-based verification.
- SMS-based verification.
- OATH hardware tokens using Yubico, DeepNet Security, and more.
To use Microsoft Entra ID MFA, you need not enroll from the ADSelfService Plus portal but should be enrolled for the authentication methods configured by your administrator in the Azure AD user portal. Contact your admin if not.
Note: This authentication method is available only for AD accounts. - Duo Security
If your organization uses Duo Security, your admin can integrate it with ADSelfService Plus to secure logins, applications and endpoints. To authenticate yourself, you can approve or deny login requests to protected resources using:
- SMS-based verification codes.
- Phone call-based verification.
- App-based verification codes.
- Push notifications.
For enrollment, you will be required to select one of these methods for MFA, depending on this, you have to either enter a code that you receive or accept a notification to authenticate yourself.
Click here for the enrollment steps.
- RSA SecurID
RSA SecurID is another method that uses passcodes for MFA. Enrollment is not required from the ADSelfService Plus portal; please contact your administrator for the RSA hardware token (passcode) that is mapped to your account. If configured by your RSA admin, to prove your identity, you will then need to enter an OTP generated via:
- A hardware token.
- The RSA SecurID mobile app, or
- Tokens received by email or SMS.
- RADIUS Authentication
For RADIUS Authentication, enrollment is not required from ADSelfService Plus portal. Please contact your administrator for the RADIUS password that is mapped to your account. You will have to enter it during identity verification. If your admin has configured secondary authentication, you will need to further enter the answer to the RADIUS challenge (an OTP) generated via:
- A hardware token
- The RSA SecurID mobile app, or
- Tokens received by email or SMS.
Note: This authentication method is available only for AD accounts. - Enrollment via the ADSelfService Plus app
The ADSelfService Plus mobile app can be used for these types of authentication:
- Push Notification Authentication
- Biometric Authentication
- QR Code-Based Authentication
- TOTP Authentication
You will have to download the app and enroll for each MFA method you wish to use. Click here for the enrollment steps.
- SAML Authentication
If your organization already uses SAML-based identity provider (IdP) applications such as Okta or OneLogin, your administrator can configure SAML authentication in ADSelfService Plus as a method to verify users' identities. You need not enroll for SAML authentication from the ADSelfService Plus portal; instead you will straightaway be redirected to your SAML IdP login URL for authentication.
Please contact your administrator to receive the identity provider credentials that are mapped to your account.
- AD Security Questions
In this method, the administrator sets up AD-based questions that are linked to existing or custom AD attributes such as Social Security numbers. To verify your identity, you must provide an answer that will be compared to the attribute value stored in AD for your user account. If they correspond, you will be authenticated.
For AD security questions, you are not required to enroll from the ADSelfService Plus portal. However, if you're unsure about the questions displayed, please contact your administrator.
Note: This authentication method is available only for AD accounts. - YubiKey Authentication
YubiKey is a hardware device that uses codes for MFA. You can enroll for YubiKey authentication by either plugging the YubiKey device into the workstation and pressing its button (in the case enrollment is via the ADSelfService Plus end-user portal), or tapping it against the mobile device (in the case enrollment is via the ADSelfService Plus mobile app). When this is done, the code will be automatically updated in the field provided in ADSelfService Plus. Click here for the enrollment steps.
- Zoho OneAuth Authentication
Zoho OneAuth is an app that provides MFA and SSO for enterprise accounts. The app's TOTP feature can be leveraged by ADSelfService Plus and used as an authentication method. To enroll, you need to scan a QR code displayed in the ADSelfService Plus user portal, using the Zoho OneAuth app.
Once enrolled, you can authenticate by entering the TOTP displayed on the app in the field provided in the portal within the specified time. Click here for the enrollment steps.
- Smart Card Authentication
You will have to place the Smart Card issued to you in your organization against the card reader. If configured by your admin, you will need to enter the Smart Card PIN. This PIN and the information on the card will be compared with your enrollment information, and your identity will be verified if they match. Enrollment is not required from the ADSelfService Plus user portal; it automatically occurs when the user authenticates for the first time.
Note: This authentication method is available only for AD accounts. - Custom TOTP Authenticator
Your administrator can extend custom hardware and software TOTP apps used by your organization, as authentication methods in ADSelfService Plus. Your enrollment process will depend on the app's capabilities.
To authenticate, you will have to enter the TOTP displayed on the app in the field provided in the product portal, within the specified time. Enrolling for custom TOTPs can be done by either you or your admin. Click here for the detailed self-enrollment steps.
- FIDO Passkeys
FIDO Passkeys are a form of authentication that can be used to replace passwords. You can use in-built authenticators like Windows Hello, Apple Touch/FaceID, etc., on your devices, or portable security keys like YubiKeys, Google Titan keys, etc., or even platform authenticators on roaming smartphones (i.e., smartphones other than the one you might be currently using to access the portal), to securely authenticate your identity.
Click here for the enrollment steps.
Enrollment using Security Questions
You can enroll for this authenticator from the web portal or the ADSelfService Plus mobile app. To enroll from the web portal,
- Log into the ADSelfService Plus user portal and go to Enrollment > Security Questions.
- One of these three windows will open:
- Mandatory security questions: Your administrator would have already configured the security questions. All you have to do is provide appropriate answers.

Fig 1: Enrolling with the mandatory security questions configured by your administrator.
- Custom security questions: Configure your own security questions and provide appropriate answers.

Fig 2: Configuring your own custom security questions and answers.
- Select a question from the list: A set of security questions defined by your administrator will be displayed. You choose the questions using which you wish to be authenticated and provide appropriate answers.

Fig 3: Selecting security questions from an administrator-defined list.
- Mandatory security questions: Your administrator would have already configured the security questions. All you have to do is provide appropriate answers.
- Click Next.
Enrollment using email address (Email verification)
You need not enroll for this authenticator, as your primary email address is imported from AD. If permitted by your administrator, you can also enroll your secondary email address from the ADSelfService Plus web console. You cannot enroll secondary email addresses via the mobile app.
Get verification code via email ID
- Log into the ADSelfService Plus user portal and go to Enrollment > Email verification.
- Enter your email ID.
- Verify the entered email ID by entering the verification code sent to your mail.
- Click Next.

Fig 4: Enrolling for Email Verification by entering your email address and the code.
Enrollment using mobile numbers
Get verification code via SMS (SMS Verification)
- Log into the ADSelfService Plus user portal and go to Enrollment > Mobile Verification
- Enter your mobile number.
- Verify the entered mobile number by entering the verification code sent to your device.
- Click Next.

Fig 5: Enrolling for SMS Verification by entering your mobile number and the code.
Enrollment using Google Authenticator
Prerequisite:
- Download the Google Authenticator app to your mobile device from the Google Play Store or the Apple App Store.
Enrollment steps:
- Log into the ADSelfService Plus user portal and go to Enrollment > Google Authenticator. A barcode will be displayed.
- Open the Google Authenticator app on your smartphone. Select Scan Barcode and scan the displayed barcode.
- If you're unable to scan the barcode, click the Can't scan it? link. A set of numbers will be displayed.
- On the Google Authenticator app on your mobile, select Manual entry > enter the displayed numbers in the app.
- A one-time-passcode will be generated in the app. Type that value in the Enter the code generated by your authenticator app field.
- Click Next.

Fig 6: Enrolling for Google Authenticator by scanning the displayed QR code.
Enrollment using Microsoft Authenticator
Prerequisite:
- Download the Microsoft Authenticator app to your mobile device from the Google Play Store or the Apple App Store.
Enrollment steps:
- Log into the ADSelfService Plus user portal and go to Enrollment > Microsoft Authenticator. A QR code will be displayed.
- Open the Microsoft Authenticator app on your smartphone. Select Scan QR code and scan the displayed QR code.
- If you're unable to scan the QR code, click the Can't scan it? link. A set of numbers will be displayed.
- On the Microsoft Authenticator app on your mobile, select Add account > Other (Google, Facebook, etc.) > OR ENTER CODE MANUALLY.
- Enter the Account name (something to identify your account. For example, "ADSSP") and type the Secret Key (the set of numbers) displayed in ADSelfService Plus.
- A one-time-passcode will be generated in the app. Type that value in the Enter the code generated by your authenticator app field.

Fig 7: Enrolling for Microsoft Authenticator by scanning the displayed barcode.
Enrollment using Duo Security
- In the ADSelfService Plus’ user portal, go to Enrollment > DUO Security.
- Follow the steps given in the webpage.
- Click Next.

Fig 8: Enrolling for Duo Security by selecting the type of device to add.
Enrollment using the ADSelfService Plus app
Push Notification Authentication
- Log in to the ADSelfService Plus mobile app and click Enrollment > Push Authentication.
- Follow the steps displayed on the webpage.

Fig 9: Enrolling for Push Notification authentication through the mobile app.
Enrollment using Biometric Authentication
- Log in to the ADSelfService Plus mobile app and click Enrollment > Biometric Authentication.
- Follow the steps displayed on the webpage.

Fig 10: Enrolling for Biometric authentication through the mobile app.
Enrollment using QR code Authentication
- Log in to the ADSelfService Plus mobile app and click Enrollment > QR code Authentication.
- Follow the steps displayed on the webpage.

Fig 11: Enrolling for QR code-based authentication through the mobile app.
Enrollment using TOTP Authentication
- Log in to the ADSelfService Plus mobile app and click Enrollment > TOTP Authentication.
- Follow the steps displayed on the webpage.

Fig 12: Enrolling for TOTP authentication through the mobile app.
Enrollment for YubiKey OTP
- Enrolling through a workstation: Plug the YubiKey device into your workstation. Place the cursor in the The generated code from the YubiKey OTP authenticator is displayed here field and press/hold the button on the plugged-in YubiKey device depending on the slot configured. The code will be updated automatically.

Fig 13: Enrolling the YubiKey authenticator through a workstation.
- Enrolling through a mobile device: If you are using an near-field communication (NFC) enabled mobile device, simply tap the YubiKey device against your mobile. Copy the displayed passcode and paste it in the The YubiKey Authenticator code is updated here field.

Fig 14: Enrolling the YubiKey authenticator through an NFC-enabled mobile device.
- Click Next.
Enrollment using Zoho OneAuth
Prerequisite:
Install Zoho OneAuth on your mobile device. You can download it from the Google Play Store or the Apple App Store.
Enrollment steps:
- In the ADSelfService Plus' user portal, go to Enrollment > Zoho OneAuth TOTP. A QR code will be displayed.
- Open the Zoho OneAuth app on your phone. Go to Authenticator (
) > OTP Authenticator. - Click the + and select Scan the QR secret.
- Scan the QR code displayed on the ADSelfService Plus user registration screen.
- If this method fails, click Can't scan the QR code? link. A secret key will be displayed.
- Open the Zoho OneAuth app on your phone. Select Enter secret manually and enter the secret key in the app.
- A one-time-passcode is generated in the app. Type that value in the Enter the TOTP field in the ADSelfService Plus user registration screen.
- Click Next.

Fig 15: Enrolling for Zoho OneAuth TOTP by scanning the displayed QR code.
Enrollment for Custom TOTP authentication
Prerequisite:
Software authenticator: Download the Custom Authenticator app to your workstation, or your mobile device from the Google Play Store or the Apple App Store.
Hardware authenticator: You must possess a hardware TOTP device issued by your organization.
Enrollment steps:
- Log into the ADSelfService Plus user portal.
- Go to Enrollment > Custom TOTP Authenticator.
- Follow the steps displayed on the webpage.
Enrollment for FIDO passkeys
Prerequisite:
- You must have the latest versions of the browsers on your devices to use this authenticator. Contact your administrator if you are not sure.
- If you are facing browser-support issues, please contact your administrator.
Enrollment steps:
- Log into the ADSelfService Plus user portal and click Enrollment > FIDO Passkeys.
- Choose the type of passkey you want to enroll for.
- Suppose you are logged into ADSelfService Plus on a Windows machine and are attempting enrollment from a browser. If you choose Platform Authentication, the Windows machine will verify your identity using Windows Hello.

Fig 16: Verifying your identity with Windows Hello to enroll a FIDO passkey.
- Once verified, you can enroll the Windows Hello authenticator on the machine as a FIDO passkey for MFA.

Fig 17: Naming the Windows Hello authenticator while enrolling it as a FIDO passkey.
- If you choose Security Keys, the authentication mechanism on the Security Key will first verify your identity (for instance, if you are enrolling a YubiKey, you will be prompted to enter the PIN or touch the sensor).

Fig 18: Verifying a security key while choosing it as your FIDO passkey.
- If you are enrolling a smartphone as a Security Key, you will need to use the QR code displayed in the ADSelfService Plus portal for enrollment.
Note: If you are accessing the ADSelfService Plus end-user portal on a smartphone that has already been registered as a Security Key (roaming authenticator), you need to select "Security Key" as the passkey type to authenticate and confirm your identity on the same smartphone.
- Once verified, you will be able to enroll the security key as a FIDO Passkey for MFA.

Fig 19: Naming and enrolling the security key as a FIDO passkey.
- Follow the instructions on the webpage and click Finish to complete enrollment.
Backup verification codes
Backup verification codes are a set of 12-character codes that you can generate and use to verify your identity. There are five backup codes in a set. You can use these codes if you are unable to use your enrolled MFA methods for authentication or you don't have access to your MFA device.
Each code can be used only once for verifying your identity during machine, VPN, or ADSelfService Plus logins, or to perform any self-service actions.
Backup code generation
The MFA backup codes section can be accessed from:
- Enrollment tab: In the ADSelfService Plus user portal, go to Enrollment. Under MFA Recovery Mode > If generating backup codes for the first time, select Generate One-Time Use Backup Codes. If you have generated backup codes before, select the Edit icon to view the backup codes or generate new codes.

Fig 20: Generating backup codes from the MFA Recovery section of the Enrollment tab.
- Profile icon: If the Enrollment tab is not available in the ADSelfService Plus user portal, click the profile icon and select MFA Recovery from the profile menu that appears.

Fig 21: Accessing backup codes from the profile icon menu.
- The Generated Backup Verification Codes section will appear. Here, five MFA backup verification codes will be displayed. If you require a new set of codes, click Generate New Codes. The previously displayed set of codes will be invalidated.
- Choose what to do with the generated codes:
- Save as Text: Download the codes as a text file.
- Send Email: Email the backup codes to a specific email address.
- Print: Print a hard copy of the codes.
- Once you have saved the Backup Codes, click Close.

Fig 22: The Generated Backup Verification Codes dialog.
Offline MFA
Offline MFA ensures that your identity is authenticated and the access to your machine is secured even when the ADSelfService Plus server is unreachable. ADSelfService Plus supports offline MFA during local and remote Windows logins and UAC prompts. It uses the following authenticators:
- Google Authenticator
- Microsoft Authenticator
- Custom TOTP authenticator
- Zoho OneAuth TOTP
How do I enroll a particular machine for offline MFA?
Once you successfully complete MFA when connected to the ADSelfService Plus server, based on admin configuration, you will be prompted to enroll for any authenticators required for offline MFA. You will then either be automatically enrolled or prompted to enroll your machine for offline MFA as shown in this image:

Fig 23: Enrolling a machine for Offline MFA.
Click Enroll & Continue to enroll your machine for offline MFA and access your machine. Your machine is now successfully enrolled for offline MFA. The next time the ADSelfService Plus server is unreachable, you can verify your identity using offline MFA and continue using your machine.
How to disenroll from offline MFA
If you do not want to continue using offline MFA in a machine, you can revoke the enrollment information. For this:
- Log in to the ADSelfService Plus user portal.
- Go to the Enrollment tab and click Manage.

Fig 24: Opening Manage on the Enrollment tab to disenroll a machine.
- Go to the Offline MFA - Enrolled Machines tab. Here, click Disenroll for the machine you want to revoke your offline MFA enrollment from.

Fig 25: Disenrolling a machine from the Offline MFA – Enrolled Machines tab.
- You have now successfully disenrolled the particular machine from offline MFA. Repeat the above steps for all the machines you want to disenroll.