MFA Enrolled Users Report

Enrolling for multi-factor authentication (MFA) in ManageEngine ADSelfService Plus lets users log in to their accounts and endpoints—Windows, macOS, or Linux machines, as well as RDPs, VPNs, etc.—securely, sign in to custom enterprise applications with SSO, as well as perform self-service password resets and account unlocks. As an admin, you should be taking appropriate measures to improve enrollment across your organization, which means it's important that you have a list of users who are enrolled for MFA and know which authenticators they have enrolled for.

The MFA Enrolled Users Report displays details of every enrollment action, including the username, time of enrollment, authenticator enrolled for, IP address, endpoint type, and who attempted enrollment (user or admin).

You can also disenroll users from MFA and generate backup codes for user accounts from this report.

Report generation

enrollment-report

You can generate the MFA Enrolled Users Report by following these steps:

  1. Log in to the ADSelfService Plus admin portal with administrator or operator privileges and navigate to Reports > MFA Reports > MFA Enrolled Users Report.
  2. Specify the domain using the Select Domain option.
  3. Use the Select OUs option to specify the OUs, if necessary.
  4. Use the Enrollment Status drop-down to filter the entries based on whether the users are Enrolled or Partially Enrolled. Enrollment status is considered based on the fulfillment of the conditions below. If all of these conditions are satisfied, then the user is considered to be Enrolled. If not, the user is considered Partially Enrolled.
    • Condition 1: The user has enrolled for all mandatory authenticators.
    • Condition 2: The user has enrolled for the required number of authenticators set by administrators.
    • Condition 3: If Security Questions and Answer is configured as the authenticator, the user has enrolled with all the mandatory questions and the correct number of questions.
  5. You can narrow-down the results based on MFA methods using the Enrollment Type drop-down.
  6. Click Generate.

Report customization

Sorting

Click any of the column headers to view the report's entries in ascending or descending order.

Searching

Schedule Reports, Export As, and More

Disenrolling a user

Disenrollment of a user involves partially or completely removing their enrollment information from ADSelfService Plus.

Users will not be able to verify their identity via the authenticators they have been disenrolled from. If a user is completely disenrolled, they must reenroll for at least the minimum number of authentication methods set by the admin to perform MFA and self-service actions.

From the MFA Enrolled Users Report, Users can be disenrolled via two methods:

  1. Manual disenrollment
  2. Bulk CSV disenrollment
enrollment-report

You can use the Free up the selected user(s)' licenses option while disenrolling users from any of the authenticators they are enrolled for. Choosing this option will remove the chosen users from all enrolled authenticators and free up their ADSelfService Plus licenses. As a consequence, these users will become unlicensed and lose any administrator or technician privileges they may have had.

If they are later assigned ADSelfService Plus licenses again, their previous privileges will not be automatically reinstated and will need to be reassigned manually.

Customizing the report

You can customize the report to include or exclude columns containing additional information by clicking the add/remove columns [add/remove columns ] icon at the far left of the navigation buttons.

Users' enrolled authenticators

Clicking View List in the MFA Enrolled Users Report will display the list of authenticators a user has enrolled for.

Generating backup codes

Generating backup codes

Generating backup codes

Admins can generate a backup code for an enrolled user when the user's MFA device is not reachable. The user can use each backup code only once. To generate a backup code for a specific enrolled user:

Generating backup codes
Note: If more than one technician creates backup codes for the same user, then the most recently generated code becomes valid, and this code can only be used once. If the user had generated a backup code themselves, then that will also remain valid until it's used.

Thanks!

Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.

 

Need technical assistance?

  • Enter your email ID
  • Talk to experts
  •  
     
  •  
  • By clicking 'Talk to experts' you agree to processing of personal data according to the Privacy Policy.

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try onboarding

     

Copyright © 2024, ZOHO Corp. All Rights Reserved.