How to enable MFA for privileged accounts

In this article:

• Objective
• Prerequisites
• Steps to follow
• Related topics and articles

Objective

This article explains how to configure MFA for privileged Active Directory accounts using ADSelfService Plus to prevent unauthorized access and minimize the risk of account compromise. Enforcing multi-factor login for privileged access can significantly enhance the security of your critical systems and helps secure high-risk users such as IT admins, database administrators, and other users with elevated permissions in Active Directory environments. By enabling privileged access MFA, organizations can enforce strict access policies and enhance protection against credential-based attacks, even if passwords are compromised. With multi-factor login for privileged access, you can:

• Protect administrator accounts: Ensure that even if an administrator's password is stolen, a second factor is required for login, safeguarding your infrastructure.
• Secure critical application access: Implement privileged access MFA for accounts used to manage sensitive enterprise applications, preventing data breaches.
• Strengthen Active Directory security: Bolster your MFA for privileged accounts in your Active Directory environment by enforcing additional authentication steps for users with elevated permissions, thus preventing lateral movement in the network.

Prerequisites

• Administrative access to the ADSelfService Plus portal.
• Permissions to manage users, groups, and OUs within your AD.

Steps to follow

Step 1: Create a policy for privileged users

To begin securing your privileged accounts with MFA, create a self-service policy within ADSelfService Plus. To do this:

1. Navigate to Configuration > Self-Service > Policy Configuration.
2. Click Add New Policy, and choose the domain, OU, or security group for your privileged user accounts.

   

   Figure 1: Create a self-service policy for privileged user accounts in ADSelfService Plus.

Step 2: Configure authenticators for MFA

Next, associate stringent authentication methods for your privileged user account policy. It is recommended to choose strong authenticators such as biometric authentication, FIDO passkeys, or YubiKey Authenticator suitable for high-risk accounts with privileged access.

1. Navigate to Configuration > Self-Service > Multi-factor authentication > Authenticators Setup.
2. Configure the authenticators you wish to setup MFA for privileged accounts.
3. Navigate to MFA for Endpoints.
4. Select the access point you wish to secure (machine login, VPN, OWA, or enterprise application) and associate the policy created in Step 1.
5. Configure the number of authentication factors required and the allowed authentication methods.

   

   Figure 2: Configure authenticators for privileged access MFA.

Step 3: Enroll privileged accounts for MFA

To ensure all privileged user accounts are protected by MFA, you can:

• Enable forced user enrollment on login.
• Send enrollment notifications via SMS or email.
• Bulk enroll users into the product by importing data from CSV files or external databases.

This step is crucial for widespread adoption of MFA for privileged accounts, reducing gaps in protection.

This can be configured under Configuration > Administrative Tools > Quick Enrollment.

Figure 3: Enable forced user enrollment for privileged access MFA.

Authentication methods supported for MFA for privileged accounts

ManageEngine ADSelfService Plus supports a wide range of authentication methods to implement robust MFA for privileged accounts:

Related topics and articles

2FA for Windows logins

How to secure privileged accounts with adaptive MFA

MFA for Active Directory accounts