Pricing  Get Quote
 
 

How do you enable conditional access in ADSelfService Plus?

ADSelfService Plus' Conditional Access feature helps organizations manage access to their IT environment without admin intervention. Access control decisions are automatically made based on users' IP address, device, time of access, and geolocation.

Conditional access can be used to allow or restrict access for:

  • Endpoint MFA during local and remote logins into the Active Directory domains.
  • Self-service features (e.g., self-service password reset, self-service account unlock, and directory self-update).
  • Single sign-on for enterprise applications.

This helps organizations improve their security posture without affecting the user experience.

How to configure conditional access rules

Implementing conditional access involves configuring conditional access rules. A conditional access rule is configured using three building blocks:

  • Conditions: These are basics based on which the access will be controlled. ADSelfService Plus provides you an option to control access based on IP address, device, time of access, and geolocation conditions.
  • Criteria: The conditions configured can be used to formulate criteria using Boolean operators such as AND, OR, and NOT.
  • Associated self-service policy: Self-service policies in ADSelfService Plus govern which features users can utilize. These policies allow you to configure how features should work for different sets of users based on their OU and group membership. By associating the conditions and criteria with one or more self-service policies, you configure a conditional access rule.

Steps to configure conditional access rules

Step 1. Configuring a self-service policy

  1. Navigate to the Configuration tab.
  2. Click the Add New Policy button on the bottom-right side of the page.
  3. Enter an appropriate Policy Name.
  4. From the list of self-service features provided, select features for your user base. You need to select at least one self-service feature.
  5. Click the Select OU(s)/Groups button.
  6. Select the domain that the policy will be applied to. Here you have a choice; you can either apply the policy to all users in the selected domain or only to specific users based on their OU or group membership.
  7. Click OK.
  8. Click Save Policy.
Note: You can also associate self-service policies with other capabilities, like MFA, SSO, and password synchronization, to ensure users under the policy have access to those features.

Step 2. Configuring conditions

  1. Navigate to Configuration → Self-Service → Conditional Access.
  2. Click Configure New Conditional Access (CA) Rule.
  3. Enter a CA Rule Name and Description.
  4. Configure any of the four conditions with these steps:
    • IP Address
      • Select the checkboxes next to the necessary IP address types:
        • Static IP: For users who connect to your network directly through their client computers.
        • Proxy Server IP: For users who connect through a proxy server.
        • VPN IP: For users who connect through a VPN server.
          Note: If you have enabled all three types of IPs, the following rule applies: (Static IPs AND Proxy IPs) OR VPN IPs
      • Select whether to trust or untrust the entered IPs. Trusted IPs will be allowed access, and untrusted IPs will be blocked.
      • For Static IPs, enter the range of IP addresses in the IP Range fields. Use the + icon to add more IP ranges. You can also enter individual IPs and use * as the wildcard character for selecting a whole class of IP.
    • Device
      • Select the Computers checkbox and then click the + icon.
      • In the Select Client Computer dialog box that opens, select the domain and then the computer objects. Click OK.
      • Select the Platforms checkbox and then use the drop-down to select the platforms. You can choose from Windows, macOS, Linux, mobile web app, and native mobile app.
    • Business Hours
      • Select the Business Hours checkbox.
      • Select Business hours or Non-business hours according to your requirements.
      • From the Day and Time range provided, configure your business or non-business hours.
        Note: The time will be applied based on the time zone of the solution configured in Admin → Personalize → Time Zone settings.
    • Geolocation
      • Select the Geolocation checkbox.
      • Select the Countries from the drop-down.
        Note: A geolocation-based condition relies on the user's IP address to determine their location. That means only access from public IP addresses will be evaluated. Users with private IP addresses will fail this condition.

Step 3. Creating criteria

After configuring the conditions, Criteria can be formulated using operators like AND, OR, and NOT. This criteria will decide how the different conditions will be evaluated to determine the access request's result. Each condition is assigned a number: IP Address is 1, Device is 2, Business hours is 3, and Geolocation is 4. You can use these numbers and operators to create the criteria.

For example, 1 AND (2 OR 3) and 1 AND (3 OR (NOT 4))

Step 4. Associating a rule with self-service policies

In the Associate Policies drop-down, select the self-service policies that will be applied to users who pass the criteria.

Finally, click Configure to create the conditional access rule.

Prioritizing conditional access rules

In case you create multiple conditional access rules, you can prioritize them so that the high priority rule gets applied first.

To prioritize the rules:

  1. From the Conditional Access configuration page, click the change priority icon in the top-right corner (next to the Configure New Conditional Access (CA) Rule button).
  2. All the configured conditional access rules will be listed. Drag and rearrange them based on your requirements. The rule at the top will be given the highest priority.

Editing or deleting the conditional access rules

A conditional access rule can be modified to change the conditions or criteria, copied to create a new rule, disabled, or deleted.

  1. Go to the Conditional Access configuration page. The configured conditional access rules will be displayed in a table.
  2. Under the Actions column, click on an icon based on the action you want to perform.
    • Toggle the icon-enable and icon-disable icons to enable or disable a rule. If there is a ☑ icon, it means the rule is enabled, and if there is a ☒ icon, it means the rule is disabled.
    • Click the icon-edit icon to modify the rule.
    • Click the icon-copy icon to copy the rule and create a new rule from it.
    • Click the icon-delete icon to delete a rule.

 

Request Support

Need further assistance? Fill this form, and we'll contact you rightaway.

Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management