MFA enrollment
Enrollment is the process through which users register their email address or set up the authenticator apps for MFA. Use the Enrollment Settings tab to configure the authenticators your users should enroll in, and you can make certain authenticators mandatory. You can also enable backup verification codes and configure the settings related to email verification enrollment.
User enrollment status
- Enrolled users: Users who have enrolled in all the mandatory authenticators or have registered for the authenticators configured in the Enrollment Settings will be classified as enrolled users.
- Partially enrolled users: Users who have enrolled in certain authenticators but not all the mandatory authenticators, which are enabled in the Enrollment Settings, are classified as partially enrolled users.
- Non-enrolled users: Users who haven't registered for any MFA authenticator, along with users who have been removed by the admin via the Enrolled Users report, are categorized as non-enrolled users.
Enrollment Settings
- Enable these authenticators for user enrollment: Use this setting to choose the authenticators you'd like your users to enroll in.
Note:
- Identity360 uses email verification as the default MFA authenticator to verify users' identities, so it cannot be disabled until after initial setup. Users will be automatically enrolled in the Email Authenticator using their primary email address or User Principal Name from the directory they are a part of.
- Click the icon next to the authenticators to make the specific authenticator mandatory, so the user will be forced to enroll for it during MFA registration after successfully logging in to Identity360.
- Enable backup verification codes for MFA recovery: Use this option to enable the users to generate backup verification codes in the user portal.
Note: This option allows users to create backup codes only for themselves. Refer to the Advanced Settings to enable the users to utilize these backup codes when they encounter difficulties during the MFA verification process.
These one-time-use backup codes allow users to prove their identities in case their MFA device is not reachable or they are unable to use their enrolled MFA methods of authentication. Once this setting is enabled, the backup codes can be generated, and end users can enter them to authenticate themselves during MFA authentication.