Pricing  Get Quote

How do you enable conditional access in ADSelfService Plus?

ADSelfService Plus' Conditional Access feature helps organizations manage access to their IT environment without admin intervention. Access control decisions are automatically made based on users' IP address, device, time of access, and geolocation.

Conditional access can be used to allow or restrict access for:

  • Endpoint MFA during local and remote logins into the Active Directory domains.
  • Self-service features (e.g., self-service password reset, self-service account unlock, and directory self-update).
  • Single sign-on for enterprise applications.

This helps organizations improve their security posture without affecting the user experience.

How to configure conditional access rules

Implementing conditional access involves configuring conditional access rules. A conditional access rule is configured using three building blocks:

  • Conditions: These are basics based on which the access will be controlled. ADSelfService Plus provides you an option to control access based on IP address, device, time of access, and geolocation conditions.
  • Criteria: The conditions configured can be used to formulate criteria using Boolean operators such as AND, OR, and NOT.
  • Associated self-service policy: Self-service policies in ADSelfService Plus govern which features users can utilize. These policies allow you to configure how features should work for different sets of users based on their OU and group membership. By associating the conditions and criteria with one or more self-service policies, you configure a conditional access rule.

Steps to configure conditional access rules

Step 1. Configuring a self-service policy

  1. Navigate to the Configuration tab.
  2. Click the Add New Policy button on the bottom-right side of the page.
  3. Enter an appropriate Policy Name.
  4. From the list of self-service features provided, select features for your user base. You need to select at least one self-service feature.
  5. Click the Select OU(s)/Groups button.
  6. Select the domain that the policy will be applied to. Here you have a choice; you can either apply the policy to all users in the selected domain or only to specific users based on their OU or group membership.
  7. Click OK.
  8. Click Save Policy.

    How do you enable conditional access in ADSelfService Plus?

Note: You can also associate self-service policies with other capabilities, like MFA, SSO, and password synchronization, to ensure users under the policy have access to those features.

Step 2. Configuring conditions

  1. Navigate to Configuration > Self-Service > Conditional Access > Rule configuration.
  2. Click Configure New Conditional Access (CA) Rule.

    How do you enable conditional access in ADSelfService Plus?

  3. Enter a CA Rule Name and Description.
  4. Configure any of the four conditions with these steps:
    • IP Address
      • Select the check boxes next to the necessary IP address types:
        • Static IPs: For users who connect to your network directly through their client computers
        • Proxy Server IPs: For users who connect through a proxy server
        • VPN IP address: For users who connect through a VPN server
          Note: If you have enabled all three types of IPs, the following rule applies: (Static IPs AND Proxy IPs) OR VPN IPs.
      • Select whether to trust or not trust the entered IPs. Trusted IPs will be allowed access, and untrusted IPs will be blocked.
      • For Static IPs, enter the range of IP addresses in the IP Range fields. Use the + icon to add more IP ranges. You can also enter individual IPs and use * as the wildcard character for selecting a whole class of IP.
    • Device
      • Select the Computers check box and then click the + icon.
      • In the Select Client Computer dialog box that opens, select the domain and then the computer objects. Click OK.
      • Select the Platforms check box and then use the drop-down to select the platforms. You can choose from Windows, macOS, Linux, mobile web app, and native mobile app.
    • Business Hours
      • Select the Business Hours check box.
      • Select Business hours or Non-business hours according to your requirements.
      • From the Day and Time range provided, configure your business or non-business hours.
        Note: The time will be applied based on the time zone of the solution configured in Admin → Personalize → Time Zone settings.
    • Geolocation
      • Select the Geolocation check box.
      • Select the Countries from the drop-down.
        Note: A geolocation-based condition relies on the user's IP address to determine their location. That means only access from public IP addresses will be evaluated. Users with private IP addresses will fail this condition.

    How do you enable conditional access in ADSelfService Plus?

Step 3. Creating criteria

After configuring the conditions, Criteria can be formulated using operators like AND, OR, and NOT. This criteria will decide how the different conditions will be evaluated to determine the access request's result. Each condition is assigned a number: IP Address is 1, Device is 2, Business hours is 3, and Geolocation is 4. You can use these numbers and operators to create the criteria.

For example, 1 AND (2 OR 3) and 1 AND (3 OR (NOT 4))

Step 4. Assigning rules

  1. Go to Configuration > Self-Service > Conditional Access > Rule assignment.
  2. Select the rule that you want to assign from the drop-down.
  3. Select the policy you want to assign this rule to.
    Note: The policy will be assigned to a rule-satisfying user only if they originally belong to the group, organizational unit, or domain the self-service policy was created for.
  4. Allow or block NTLM SSO and ADSelfService Plus portal access. These settings will be applicable wherever the selected rule is satisfied.
    Note: The option to allow or block NTLM SSO will be enabled only if NTLM authentication is configured under Admin > Customize > Login Settings > Single Sign-On.

    How do you enable conditional access in ADSelfService Plus?

Prioritizing conditional access rules

In case you create multiple conditional access rules, you can prioritize them so that the high priority rule gets applied first.

To prioritize the rules:

  1. From the Conditional Access configuration page, click the change priority icon in the top-right corner (next to the Configure New Conditional Access (CA) Rule button).
  2. All the configured conditional access rules will be listed. Drag and rearrange them based on your requirements. The rule at the top will be given the highest priority.

Editing or deleting the conditional access rules

A conditional access rule can be modified to change the conditions or criteria, copied to create a new rule, disabled, or deleted.

  1. Go to the Conditional Access configuration page. The configured conditional access rules will be displayed in a table.
  2. Under the Actions column, click on an icon based on the action you want to perform.
    • Toggle the icon-enable and icon-disable icons to enable or disable a rule. If there is a ☑ icon, it means the rule is enabled, and if there is a ☒ icon, it means the rule is disabled.
    • Click the icon-edit icon to modify the rule.
    • Click the icon-copy icon to copy the rule and create a new rule from it.
    • Click the icon-delete icon to delete a rule.

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  • Business Email *
  • Phone *
  • Problem Description *
  • Country
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust