ManageEngine ADSelfService Plus requires you to enroll for the MFA verification methods configured by your administrator. ADSelfService Plus authenticates your identity using the information you provide during the enrollment process. Enrollment is mandatory for:
Note: Your admin might choose to enforce one or more authentication techniques available in ADSelfService Plus. Based on that, you'll be required to provide the required information.
You must answer a predefined set of personal questions such as "What is your favorite color?" These questions can be configured by you or administrators. You can enroll by either defining custom questions and answers, or by providing answers to administrator-defined questions.
You will need to provide the correct answer to these questions during identity verification. Click here for the enrollment steps.
An OTP will be sent to your email address. You must enter this OTP to confirm your identity. Administrators have the option to use the email address from your Active Directory profile or allow you to provide a different email address during enrollment. Click here for the enrollment steps.
You will have to enter an OTP sent to your mobile device to verify your identity. Administrators can either select the mobile number from your Active Directory profiles or allow you to provide a different number during the enrollment process. Click here for the enrollment steps.
Google Authenticator is an app that utilizes TOTP codes for authentication. To enroll for this authenticator, you need to use Google Authenticator app to scan the QR code shown under the Enrollment section in the ADSelfService end-user portal. Click here for the enrollment steps.
The Microsoft Authenticator app generates a TOTP that you will have to enter to authenticate yourself. For enrollment, you have to install the Microsoft Authenticator app and configure it with ADSelfService Plus. Click here for the enrollment steps.
If your organization already has Azure Active Directory multi-factor authentication enabled, admins can use the existing configuration to let you authenticate through the pre-enrolled authentication methods in Azure Active Directory. Supported methods include:
To use Azure AD MFA, you need not enroll from the ADSelfService Plus portal but should be enrolled for the authentication methods configured by your administrator in the Azure AD user portal. Contact your administrator if not.
If your organization uses Duo Security, your admin can integrate it with ADSelfService Plus to secure logins, applications and endpoints. To authenticate yourself, you can approve or deny login requests to protected resources using:
For enrollment, you will be required to select one of these methods for MFA, depending on this, you have to either enter a code that you receive or accept a notification to authenticate yourself.
Click here for the enrollment steps.
RSA SecurID is another method that uses passcodes for multi-factor authentication. Enrollment is not required from the ADSelfService Plus portal; please contact your administrator for the RSA hardware token (passcode) that is mapped to your account. If configured by your RSA admin, to prove your identity, you will then need to enter an OTP generated via:
For RADIUS Authentication, enrollment is not required from ADSelfService Plus portal. Please contact your administrator for the RADIUS password that is mapped to your account. You will have to enter it during identity verification. If your admin has configured secondary authentication, you will need to further enter the answer to the RADIUS challenge (an OTP) generated via:
The ADSelfService Plus mobile app can be used for these types of authentication:
You will have to download the app and enroll for each MFA method you wish to use. Click here for the enrollment steps.
If your organization already uses SAML-based identity provider (IdP) applications such as Okta or OneLogin, your administrator can configure SAML authentication in ADSelfService Plus as a method to verify users' identities. You need not enroll for SAML authentication from the ADSelfService Plus portal; instead you will straightaway be redirected to your SAML IdP login URL for authentication.
Please contact your administrator to receive the identity provider credentials that are mapped to your account.
In this method, the administrator sets up AD-based questions that are linked to existing or custom AD attributes such as Social Security numbers. To verify your identity, you must provide an answer that will be compared to the attribute value stored in AD for your user account. If they correspond, you will be authenticated.
For Active Directory security questions, you are not required to enroll from the ADSelfService Plus portal. However, if you're unsure about the questions displayed, please contact your administrator.
YubiKey is a hardware device that uses codes for multi-factor authentication. You can enroll for YubiKey authentication by either plugging the YubiKey device into the workstation and pressing its button (in the case enrollment is via the ADSelfService Plus end-user portal) or tapping it against the mobile device (in the case enrollment is via the ADSelfService Plus mobile app). When this is done, the code will be automatically updated in the field provided in ADSelfService Plus. Click here for the enrollment steps.
Zoho OneAuth is an app that offers multi-factor authentication and single sign-on for enterprise accounts. The app's TOTP feature can be leveraged by ADSelfService Plus and used as an authentication method. To enroll, you need to scan a QR code displayed in the ADSelfService Plus user portal, using the Zoho OneAuth app.
Once enrolled, you can authenticate by entering the TOTP displayed on the app in the field provided in the portal within the specified time. Click here for the enrollment steps.
You will have to place the SmartCard issued to you in your organization against the card reader. If configured by your admin, you will need to enter the SmartCard PIN. This PIN and the information on the card will be compared with your enrollment information, and your identity will be verified if they match. Enrollment is not required from the ADSelfService Plus user portal; it automatically occurs when the user authenticates for the first time.
Your administrator can extend custom hardware and software TOTP apps used by your organization, as authentication methods in ADSelfService Plus. Your enrollment process will depend on the app's capabilities.
To authenticate, you will have to enter the TOTP displayed on the app in the field provided in the product portal, within the specified time. Enrolling for custom TOTPs can be done by either you or your admin. Click here for the detailed self-enrollment steps.
FIDO Passkeys are a form of authentication that can be used to replace passwords. You can use in-built authenticators like Windows Hello, Apple Touch/FaceID, etc., on your devices, or portable security keys like YubiKeys, Google Titan keys, etc., or even platform authenticators on roaming smartphones (i.e., smartphones other than the one you might be currently using to access the portal), to securely authenticate your identity.
Click here for the enrollment steps.
Install Zoho OneAuth on your mobile device. You can download it from the Google Play Store or the Apple App Store.
) > OTP Authenticator.
Prerequisite:
Software authenticator: Download the Custom Authenticator app to your workstation, or your mobile device from the Google Play Store or the Apple App Store.
Hardware authenticator: You must possess a hardware TOTP device issued by your organization.
Enrollment steps:
Prerequisite:
Enrollment steps:
Note: If you are accessing the ADSelfService Plus end-user portal on a smartphone that has already been registered as a Security Key (roaming authenticator), you need to select 'Security Key' as the passkey type to authenticate and confirm your identity on the same smartphone.
Backup verification codes are a set of 12-character codes that you can generate and use to verify your identity. There are 5 backup codes in a set. You can use these codes if you are unable to use your enrolled MFA methods for authentication or you don't have access to you MFA device.
Each code can be used only once for verifying your identity during machine, VPN, or ADSelfService Plus logins, or for performing any self-service actions.
The MFA backup codes section can be accessed from:
Offline MFA ensures that your identity is authenticated and the access to your machine is secured even when the ADSelfService Plus server is unreachable. ADSelfService Plus supports offline MFA during local and remote Windows logins and User Account Control prompts. It uses the following authenticators:
Once you successfully complete MFA when connected to the ADSelfService Plus server, based on admin configuration, you will be prompted to enroll for any authenticators required for offline MFA. You will then either be automatically enrolled or prompted to enroll your machine for offline MFA as shown in this image:
Click Enroll & Continue to enroll your machine for offline MFA and access your machine. Your machine is now successfully enrolled for offline MFA. The next time the ADSelfService Plus server is unreachable, you can verify your identity using offline MFA and continue using your machine.
If you do not want to continue using offline MFA in a machine, you can revoke the enrollment information. For this:
Note: The enrollment information will be erased only after this particular machine is connected back to the ADSelfService Plus server during online authentication.
Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.
Copyright © 2024, ZOHO Corp. All Rights Reserved.
ADManager Plus
ADAudit Plus
Exchange Reporter Plus
M365 Manager Plus
Previous Topic