Advanced Settings

    The Advanced tab in ADSelfService Plus gives administrators granular control over the behavior of MFA across all endpoints and self-service operations. Using these settings, you can fine-tune idle time limits, trusted device durations, enrollment enforcement, backup verification codes, and security question behavior — all at a per-policy level.

    Prerequisites

    • The Professional edition of ADSelfService Plus with Endpoint MFA is required for configuring machine, OWA, and VPN logins.
    • You must have administrator access to the ADSelfService Plus portal.
    • At least one self-service policy must be configured before applying advanced settings.

    Limitation

    • ADSelfService Plus' mobile app-based authenticators (Biometric Authentication, QR Code-based authentication, TOTP authentication, Push Notification authentication) are not supported for enrollment during password resets or account unlocks.

    Configuration instructions

    To access Advanced Settings:

    1. Log in to the ADSelfService Plus admin portal.
    2. Ensure Active Directory is selected from the directory drop-down at the top-left, and navigate to Configuration > Self-Service > Multi-Factor Authentication.
    3. From the Choose the Policy drop-down, select the policy you want to configure.
    4. Click Advanced.

    General

    AD

    CAPTCHA Settings

    • Hide CAPTCHA in: Hide the CAPTCHA on second-factor authentication pages by selecting the relevant pages from the drop-down.

    MFA Recovery

    • Enable MFA Backup Verification Codes: Enable this setting to allow end users to prove their identity using a backup code when their MFA device or authenticator is unavailable.

    About backup codes: These one-time-use codes allow users to authenticate when their MFA device is unreachable or enrolled methods are unavailable. Once enabled, backup codes can be generated by the user from the ADSelfService Plus end-user portal (five codes at a time), or by the admin from the Enrolled Users Report. Each code can only be used once.

    Note:
    • Users can deploy backup codes during VPN logins only when RADIUS challenge-response-based authentication methods are used for VPN MFA login.
    • During VPN MFA, the generated backup code can be entered in the field provided for one-time passcodes at the VPN client.
    • When identity verification is performed using backup codes, the Trust this browser and Trust this machine options will not be considered.

    Reset/Unlock MFA

    AD

    MFA for password resets

    • Restrict the MFA idle time during password resets to __ minute(s): Sets a time limit for users to complete identity verification during password resets. The idle timer resets with every verification attempt or action such as choosing authenticators.
    • Deny users from performing password resets when partially enrolled: When enabled, users who have only partially completed enrollment will not be allowed to reset their passwords until they complete the enrollment process. If disabled, partially enrolled users will be forced to complete enrollment after authentication.
    Note: ADSelfService Plus mobile app-based authenticators are not supported for enrollment during password resets.
    • Force users to enroll for authenticators enabled for other endpoints after successful authentication: Ensures users enroll with all required authenticators — not only for password resets, but also for machine, VPN, OWA, and application logins. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.

    MFA for account unlocks

    • Restrict the MFA idle time during account unlocks to __ minute(s): Sets a time limit for users to complete identity verification during account unlocks. The idle timer resets with every verification attempt or action.
    • Deny users from unlocking accounts when partially enrolled: When enabled, users who have only partially completed enrollment will not be allowed to unlock their accounts until they complete the enrollment process.
    Note: ADSelfService Plus mobile app-based authenticators are not supported for enrollment during account unlocks.
    • Force enrollment post successful MFA for authenticators selected for other endpoints: Ensures users enroll with all required authenticators — not only for account unlocks, but also for machine, VPN, OWA, and application logins.

    Endpoint MFA

    Machine Login MFA

    The Machine Login MFA section gives admins granular control over MFA prompts for machines on the network.

    Note: MFA for machine logins requires the Professional edition of ADSelfService Plus with endpoint MFA. These are policy-based settings and will be enforced when a user under the policy attempts to log into a machine on the domain. Based on this configuration, MFA might be bypassed on machines if the user is not enrolled. To enforce MFA on machines irrespective of the enrollment status of the user, please configure machine-based MFA.
    AD
    • Enable MFA for <drop-down>: Enables MFA for interactive logins, User Account Control (UAC), and machine unlocks.
    AD
    • Interactive login: MFA is required during GUI-based logins on Windows machines.
    • User Account Control: MFA is required for all UAC credential prompts. Compatible with Windows 7 and above and Windows Server 2008 and above. Supported in login agent version 5.10 and above.
    • Machine unlocks: MFA is enforced when unlocking Windows machines.
    Note: The Enable MFA for User Account Control option is available only for Windows UAC prompts that require user credentials. MFA for Windows machine unlocks requires the Professional edition of ADSelfService Plus with Endpoint MFA.
    • Enable MFA for Remote Desktop access during:

      • RDP server authentication: All incoming RDP connections to machines with the login agent installed will require MFA.
      • RDP client authentication: All outgoing RDP connections via Windows Remote Desktop application (mstsc.exe) will require MFA. Supported in login agent version 5.10 and above, on Windows 7 and above and Windows Server 2008 R2 and above. Requires network-level authentication to be enabled. You can enable network-level authentication via Group Policy by navigating to Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
    • To require MFA for Remote Desktop connections in a multi-forest AD environment, there must be a trust relationship between the two domains. Domain trusts can be added between forests either through a forest trust (a trust relationship at the forest level) or through an external trust (a trust relationship at the domain level). For steps to configure a trust relationship, please refer to this document.
    Note: Enabling both options might lead to double MFA verification if the Windows login agent is installed on both the server and client machines. For example, if Google Authenticator is the configured MFA authenticator, and both RDP server and client authentication are enabled, then the user will be required to perform identity verification using the code both before establishing a connection with the remote machine and again after establishing the connection. With RDP client authentication, you can protect remote access using MFA only for users accessing the machine from the internet or other public IP addresses via Remote Desktop Gateway (RD Gateway), by configuring a conditional access rule with IP restrictions. Learn more about conditional access.
    • The Machine Login MFA process can be idle for __ min: Sets a time limit for users to complete the MFA process for machine logins.
    • Skip MFA when the ADSelfService Plus server is down or unreachable: Allows users to bypass MFA if the server is unreachable. Not recommended; deploy offline MFA to avoid this scenario. Not applicable when offline MFA is configured and the user is enrolled, or when machine-based MFA is enforced.
    • Keep a machine trusted for __ day(s): Users who have completed MFA once can skip MFA for subsequent logins for the specified number of days.
    • Keep the 'Trust this machine' option selected by default: Keeps the Trust this machine checkbox pre-selected on the MFA screen.
    • __ if the user is not enrolled in MFA: Determines the authentication flow for unenrolled users.
      • Allow logins: The user can bypass machine login MFA.
      • Deny logins: The user is restricted from access.
      • Force enrollment: The user is forced to enroll after successful primary authentication (Windows and macOS only).
    Important note
    • Authenticators required for both online and offline MFA will be considered collectively, so if the user isn't enrolled for any of the authenticators required for both online and offline MFA, they will be considered not enrolled. Alternatively, if they are enrolled for at least one authenticator required for either of these login methods, they're considered partially enrolled.
    • This setting applies only for users that are not enrolled. It does not apply to partially enrolled users; partially enrolled users will instead be forced to enroll for the remaining authenticators after completing MFA using the enrolled authenticators.
    • If authenticators that users cannot enroll themselves for—such as custom hardware TOTP tokens and AD security questions—are selected, they will be denied access even if force enrollment is enabled as only the admin can enroll them.
    • When machine-based MFA is enforced, this setting is overridden and users who haven't enrolled for any of the authenticators will be denied access to the machine, and partially enrolled users will be forced to enroll for the remaining authenticators required.
    • Restrict users from performing offline MFA after _ days/attempts: Limits offline MFA to a specified number of days or attempts, after which users must reconnect to the ADSelfService Plus server.

    Note: Offline MFA requires the Professional edition of ADSelfService Plus with Endpoint MFA.

    • It is recommended that a value appropriate to your organizational requirements is set. Setting lower values than required could leave users stranded without access to the machine.
    • It is recommended that you enable this setting, as any change made to the self-service policy, MFA configurations, advanced settings, and modifications related to Offline MFA enrollment will reflect in the machines for the enrolled users only after they complete MFA when online.
    • This limit will be reset when the particular user performs online authentication on the specific machine.
    • Force the user to enroll their device for offline MFA after successful online authentication: Automatically enrolls the machine for offline MFA after the user completes online MFA.

    OWA Login MFA

    AD
    • Restrict the MFA idle time during OWA logins to __ min: The user session will expire if the user is idle for the specified time interval.
    • Skip MFA when the ADSelfService Plus server is down or unreachable: Allows users to access OWA when the server is unreachable. However, be aware that enabling this option means renouncing the advanced security layer of MFA when the ADSelfService Plus server is down or unreachable, which is not recommended. To avoid such circumstances, deploy ADSelfService Plus with failover or load balancing.
    Note: While enabling or disabling Skip MFA when the ADSelfService Plus server is down or unreachable option for OWA MFA, you must also change the corresponding registry key on the machine on which the ADSelfService Plus OWA Connector is installed for the settings to take effect.

    To do so:

    Step 1: Open the Registry Editor (type regedit in the Run dialog box) on the machine on which the OWA Connector is installed.

    Step 2: Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus IIS MFA Module.

    Step 3: Set the BypassMFAOnConnectionError property to TRUE or FALSE, depending on whether you want MFA to be bypassed if any connection issues are present during authentication.

    It is recommended to take a backup of the registry key before editing it. Only members of the built-in local administrator group on the computer will have the privilege to edit this key.

    • Expire trust for a browser after __ days: Users who complete MFA once can skip MFA for subsequent OWA logins from the same browser for the specified number of days.
    • Keep the "Trust this browser" option selected by default: Keeps the Trust this browser checkbox pre-selected on the MFA screen.
    • Skip MFA when the user is not enrolled for the required authenticators: If disabled, non-enrolled users cannot log into OWA. If enabled, MFA is skipped for non-enrolled users. Recommended to disable once all users are enrolled.

    VPN Login MFA

    AD
    • Keep the VPN MFA session valid for <number> minutes: Sets a time limit for the second factor of authentication during VPN login. For instance, if you set this to two minutes, users have to enter the code or approve the notification, as per the authentication method enabled, within two minutes.
    Note: If your VPN server allows configuring a RADIUS timeout limit, set it to a value greater than the session time limit configured here.
    • The VPN login MFA process can be idle for <number> minutes: This idle time cannot exceed the secure link's expiration time (30 minutes by default).
    • Skip MFA when the ADSelfService Plus server is down or unreachable: Allows VPN access when the server is unreachable. Enforced across all policies.
    Note: While enabling or disabling the Skip MFA when the ADSelfService Plus server is down or unreachable option for VPN MFA, you must also change the corresponding registry key on the machine on which the ADSelfService Plus NPS Extension is installed for the settings to take effect.

    To do so:

    Step 1: Open the Registry Editor (type regedit in the Run dialog box) on the machine on which the NPS Extension is installed.

    Step 2: Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension.

    Step 3: Set the BypassMFAOnConnectionError property to TRUE or FALSE, depending on whether you want MFA to be bypassed if any connection issues are present during authentication.

    It is recommended to take a backup of the registry key before editing it. Only members of the built-in local administrator group on the computer will have the privilege to edit this key.

    • Skip MFA when the user is not enrolled for the required authenticators
    • VPN Client Verification:
      • If this option is enabled, MFA will be skipped for non-enrolled users.
      • If this option is disabled, non-enrolled users will not be able to log into their VPN.
    Note: Partially enrolled users are considered non-enrolled and will be allowed to skip MFA.
    • SecureLink Email Verification:
      • If this option is enabled, MFA will be skipped for non-enrolled users. If the user is partially enrolled, MFA verification will be required using the authenticators the user has enrolled for, and upon successful MFA verification with the authenticator(s) they're enrolled for, they will be forced to complete enrollment for the authenticators to be used for MFA via SecureLink Email Verification.
    Note: A user with a valid primary or secondary email address is automatically considered partially enrolled for MFA via SecureLink Email Verification.
    • A user without a valid primary or secondary email address is considered not enrolled.
      • Enable this option if you want to avoid situations where the users can't access their VPN when the user is not enrolled for the required authenticators. However, be aware that enabling this option enables logins without satisfying the mandated authenticators configured in the policy. So, it is recommended to disable this option once all the users in this policy are enrolled for MFA.
      • If this option is disabled, non-enrolled users will not be able to log into their VPN. Partially enrolled users will be considered non-enrolled.
    • Send additional attributes as a response to the VPN server after successful MFA: Enable this option if you wish to send additional attributes to the VPN server or other RADIUS endpoints. These attributes will only be sent to the VPN provider after successful MFA and will be utilized by the VPN server to determine the level of access each user should have for other purposes. You will be able to find the full list of supported attributes with the documentation received from your VPN vendor.
    Note: Please update the NPS Extension to version 2.3 or higher to use this feature.

    Configuring additional attributes

    1. If you try to enable this feature before configuring the attributes, you will be shown a pop-up to configure them. Click OK. You can also click the Configure Attributes link.
    2. You can configure RADIUS's Standard or Vendor-specific attributes and corresponding values to be sent to the VPN providers (other RADIUS endpoints).
    AD
    1. Enter the Vendor ID by clicking on the Edit [ ] button. The Vendor ID is the unique number that denotes your VPN provider. For example, if using Fortigate, the Vendor ID is 12356.
    2. Choose the Type of attribute and enter the Attribute Number, Format, and Value in the fields displayed.
    3. For attributes in the string format, the values should be in characters, and for the attributes in the int format, the values should be in integers.
    4. For enum attributes, which contain multiple predefined values, provide the desired value in terms of their associated integers. For example, if you wish to use Login as the service-type attribute, enter 1 in the Value field.
    5. In case attributes are in the IPv4 or IPv6 address formats, please provide a valid IP address in the Value field.
    6. For example, your IPv4 address can look like 10.1.1.1, and your IPv6 address can look like 2001:0db8:85a3::8a2e:0370:7334.
    7. Click OK after configuring all the attributes you require.
    8. Once successfully configured, the Send additional attributes as a response to the VPN server after successful completion of MFA setting will be enabled.

    Cloud Applications Login MFA

    AD
    • Enable passwordless logins: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.

    Note: Passwordless logins to cloud applications require the Professional edition of ADSelfService Plus with Endpoint MFA.

    • Please note that the Trust this browser setting will be disabled for the users for whom passwordless login is enabled to avoid security loopholes. When passwordless logins are enforced, the user has to authenticate each time they attempt to access the application.
    • Restrict the MFA idle time during logins to cloud apps to <text_field> min: Enabling this setting will set a time limit for users to finish the MFA process.
    • Force enrollment for not enrolled users after successful password verification: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead, they will be asked to go through enrollment after successful password verification.
    • Force enrollment post successful MFA for authenticators selected for other endpoints: Enabling this setting ensures users enroll with all the authenticators required not only for cloud application logins, but also for MFA during reset password and account unlock as well as machines, VPN, OWA, and ADSelfService Plus logins. Enrollment is also enforced for authenticators set as mandatory in the MFA Enrollment tab.
    • Keep the 'Trust this browser' option selected by default: When this option is enabled, the Trust this browser checkbox will be selected by default in the MFA verification screen. This setting is not applicable when passwordless logins are enabled.
    • Expire trust for a browser after ___ day(s): When this option is enabled, users will not be asked to go through MFA for the specified number of days when they log in to ADSelfService Plus using trusted browsers. This setting is not applicable when passwordless logins are enabled.

    Applications MFA

    ADSelfService Plus Login MFA

    AD
    • Enable passwordless logins: Allows users to access the self-service portal without a password. Please refer to this page for more information.
    Note: The Trust this browser setting will be disabled for the users for whom passwordless login is enabled to avoid security loopholes. When passwordless login is enforced, the user has to authenticate each time they attempt to access the application.
    • Restrict the MFA idle time during ADSelfService Plus portal logins to __ min: Sets a time limit for users to complete the MFA process.
    • Force enrollment for not enrolled users after successful password verification: Users will be prompted to enroll after successful password verification rather than being forced through MFA on first login.
    • Force enrollment post successful MFA for authenticators selected for other endpoints: Ensures users enroll with all required authenticators for all endpoints.
    • Keep the 'Trust this browser' option selected by default: Keeps the Trust this browser checkbox pre-selected on the MFA screen.
    • Expire trust for a browser after __ days: Users will not be prompted for MFA for the specified number of days when logging in from trusted browsers.

    Q&A Settings

    Question Settings

    AD
    • Display __ Security Questions out of <n> at random: Defines the number of security questions displayed to the user, randomly selected from the configured list.
    • Display __ AD Security Questions out of <n> at random: Specifies the number of AD security questions to display, randomly selected from Configuration > Multi-Factor Authentication > Authenticators Setup > AD Security Questions.
    • Display the security questions one by one: Displays one question per page.
    • Display all the security questions simultaneously: Displays all questions on a single page.

    Answer Settings

    AD
    • Verify the users' identities with case-sensitive answers to security questions: Forces answers to be case-sensitive.
    • Hide security answers during authentication: Hides security answers by default.

    Answer Strengtheners (for Security Q&A only)

    • Prevent users from providing their usernames as answers: This will prevent users from using their username as an answer, improving security and reducing the likelihood of breaches by bad actors.
    • Prevent users from providing the same answer to multiple questions: This will prevent users from providing the same answer to multiple questions.
    • Prevent users from using any word in the security question in their answers: This will prevent users from copying words in the questions as answers.
    • Force users to use only English characters (a-z), numbers (0-9), and symbols: This will make sure that users use only alphanumeric characters and symbols in their answers.
    • Store security answers using reversible encryption: Selecting this option will store the security answers as plain text in the ADSelfService Plus database. The answers can be viewed using the Security Questions and Answers report.
    • Store security answers using the ___ algorithm: Select this option to encrypt and store the answers to security questions using MD5 or SHA-512 algorithm.

    Verification Code Settings

    Mail/Mobile Attributes

    AD
    • Select the attribute type (Mail or Mobile) from the Select Type drop-down.
    • Click Add Attribute to add a new attribute containing users' email addresses or mobile numbers.

    Secondary Email/Mobile Number

    AD
    • Prevent enrolling already enrolled <drop-down>: Prevents multiple users from enrolling with the same secondary email address and/or mobile number.
    • Allow/Block email addresses from the following domains: Controls which email domains are permitted for secondary email enrollment.
    • Allow/Block the following mobile number formats: Controls which mobile number formats are permitted.
    • Choose enforcement: Configures whether adding secondary email addresses and mobile numbers is mandatory or optional.
      • Make this registration optional.
      • Force users to register an email address.
      • Force users to register a mobile number.
      • Force users to register both an email address and a mobile number.
    • Limit the number of secondary email enrollments to __: Specifies the maximum number of secondary email addresses per user (1–10).
    • Limit the number of secondary mobile number enrollments to __: Specifies the maximum number of secondary mobile numbers per user (1–10).

    Others

    AD
    • Set verification code length to ___ digits: Sets the number of digits in the verification code.
    • Show 'Select Email ID/Mobile No.' in the mail/mobile drop-down list as default value: Shows a selection prompt as the default in the email/mobile drop-down during identity verification.
    • Partially hide Email ID/Mobile No. on MFA pages: Partially hides the email address and mobile number during identity verification.
    • Skip the "Choose Email Address/Mobile Number" step and auto-trigger the verification code: Skips the selection drop-down and sends the code directly to the user's primary address.
    • CC the admin/manager in the identity verification email sent to users: Includes the admin's or manager's email in the CC line of the verification code email.

    Tips

    • Configure idle time limits for password resets and account unlocks (Configuration > Self-Service > Multi-Factor Authentication > Advanced > Reset/Unlock MFA) to prevent session hijacking during unattended MFA verification.
    • Enable MFA Backup Verification Codes (Configuration > Self-Service > Multi-Factor Authentication > Advanced > General) so users are never completely locked out when their MFA device is unavailable.
    • Use Force enrollment post successful MFA for authenticators selected for other endpoints (Configuration > Self-Service > Multi-Factor Authentication > Advanced > Reset/Unlock MFA) to ensure users are enrolled for all endpoints in a single pass, rather than being prompted separately per endpoint.
    • Enable Restrict users from performing offline MFA after _ days/attempts (Configuration > Self-Service > Multi-Factor Authentication > Advanced > Endpoint MFA) to ensure policy changes are reflected on machines after users re-authenticate online.
    • For OWA and VPN, avoid enabling Skip MFA when the ADSelfService Plus server is down or unreachable in production environments. Deploy ADSelfService Plus with failover or load balancing instead.