Gartner recommended critical IAM capabilities in ADSelfService Plus

• User authentication methods: Avoid impersonation attacks using biometrics and other advanced authentication methods. Step up your security by implementing MFA to access endpoints and applications.
• Adaptive authentication: Enforce risk-based adaptive authentication using factors such as user location, IP address, time of previous logon, or device footprint.
• SaaS application enablement: Set up SAML 2.0-based SSO for hundreds of enterprise SaaS applications, like Salesforce, ServiceNow, and Slack.
• Approval-based workflows*: Build purpose-oriented business workflows. Create the required levels of approval by including the rights of the stakeholders. Define the approval flows for business processes, such as user account creation, modification, or permissions management.

• A web browser using the ADSelfService Plus user portal.
• The logon screens of Windows, macOS, and Linux machines using the ADSelfService Plus login agent.
• A mobile device using the ADSelfService Plus mobile app or mobile browser portal.

What you get:

• Empowers users to reset their passwords and unlock their accounts to help reduce the number of help desk tickets and unburdening help desk personnel. It also improves user productivity as passwords can be reset and accounts can be unlocked swiftly.

• Reduce the number of logins performed by the user by enabling enterprise SSO for Security Assertion Markup Language (SAML) applications like Google Workspace, Microsoft 365, and Salesforce.

What you get:

• Users can use a single password to log in to and access multiple enterprise applications. This makes handling application accounts easier for them.

• This feature allows users to synchronize their AD domain password across their user accounts in integrated on-premises and cloud applications like Microsoft SQL Server, ADFS, Microsoft 365, Google Workspace, and Salesforce.

What you get:

• Any changes to the domain password results in the changes being reflected across the integrated applications as well.

• Self-service password reset and account unlock
• Local and remote machine (Windows, macOS, and Linux), and VPN logins.
• SSO for enterprise applications.
• ADSelfService Plus portal logins.

The product supports up to 18 authentication techniques including biometrics, Google Authenticator, Microsoft Authenticator, time-based one-time password (TOTP), and Security Questions and Answers.

What you get:

• Even if attackers misappropriate users' credentials, they still need to complete the successive stages of authentication to gain access to the resource rendering the exposed passwords useless.

• Password expiration notifications can be sent through email and SMS, or as push notifications. The product allows sending multiple reminder notifications on specific days leading to the expiration.

What you get:

• Notify users about their impending domain password expiration and remind them to change their passwords before they lose access to their machines.

• Mandatory inclusion of Unicode characters.
• Restriction of character repetition of consecutive characters from usernames and old passwords.
• Restriction on the usage of weak passwords, dictionary words, and palindromes.

What you get:

• Users can be required to adhere to these policies strictly, thereby preventing them from setting weak passwords that may jeopardize the security of an organization.

• Automate access decisions to organizational resources using risk factors such as IP address, time of access, the device used, and the user's geolocation.

What you get:

• IT admins can set pre-defined conditions based on these risk factors that provide users with complete and unrestricted access, limited access, or no access to the resource.

• Allow users to update their AD profile information like email address and mobile number without IT admin intervention. IT admins can also create modification rules that auto-populate values for certain attributes based on other attribute values provided.

What you get:

• This helps decrease the help desk workload while improving user productivity.

• Allow users to search for information on other users (users, contacts, and groups) in the organization, and view the Organization Chart that displays all the employees in the organizational hierarchy.

What you get:

• This helps users discover details about other users from a single portal.

• Provide users with the ability to subscribe themselves to organizational email groups.

What you get:

• This lets users get access to the email groups they need without help desk assistance.

ADSelfService Plus login agent

• The ADSelfService Plus login agent is software which, when installed on Windows, macOS, and Linux domain computers, provides users with the option to reset Active Directory passwords and unlock accounts from their login screen. Installing the login agent also enables endpoint MFA for Windows, macOS, and Linux logons.
• The login agent can either be pushed onto the client computers using the admin portal, Active Directory GPOs, Microsoft System Center Configuration Manager (SCCM), third-party endpoint management solutions like ManageEngine Desktop Central, or be installed manually.

ADSelfService Plus password sync agent

• The ADSelfService Plus password sync agent synchronizes native password changes (password changes using the Ctrl+Alt+Del option, and password resets using the Active Directory Users and Computers console) across all the enterprise applications that are integrated with ADSelfService Plus for password synchronization. It is also used to enforce the customized password policy created in ADSelfService Plus during these native password changes. The Password Sync Agent has to be installed on all the domain controllers in a configured domain.

ADSelfService Plus mobile application

The ADSelfService Plus mobile app lets domain users perform AD password resets and account unlocks using their mobile device. It enables users to enroll themselves for certain MFA methods. The mobile app is also used to receive push notifications for:

• Notifying users upon successful completion of self-service actions
• Informing users of impending password and account expiration
• Distributing enrollment reminders

With the app, users can also authenticate themselves using a MFA method like time-based one-time-passcode, push notifications, fingerprint-based, and QR codes. The mobile app can be either manually installed by users or pushed to mobile devices by the IT administrator.

Integrate with enterprise applications

• Through password synchronization and single sign-on, ADSelfService Plus integrates with various enterprise applications such as Google Workspace, Salesforce, Microsoft 365 (formerly Office 365), and Dropbox. When password synchronization is enabled, any change to users' domain passwords is synchronized across all the integrated applications, enabling the user to access all of them with a single password. In the case of SSO, if the user has logged into their ADSelfService Plus account, they are automatically logged into these cloud applications without having to furnish their user credentials.

VPN server and Network Policy Server

• To secure your VPNs using ADSelfService Plus' MFA feature, the VPN server should use a Windows Network Policy Server (NPS) to configure RADIUS authentication, and the ADSelfService Plus NPS extension has to be installed in the NPS. This extension mediates between the NPS and ADSelfService Plus to enable MFA during VPN connections.