Yet another MAJOR BUG in ADSSP
Ticket # 4272254 raised with ManageEngine for this.
Even though the settings in the ADSSP Admin portal is set to "Deny users from performing password reset/account unlock when partially enrolled", if a user has not enrolled but attempts to Reset Password and/or Unlock Account (keep in mind, the user has not even attempted the enrollment process), ADSSP portal lets them go through with Email and/or SMS verification and eventually land on the page to do the Reset Password / Unlock Account.
MAJOR BUG which needs a fix IMMEDIATELY.
ManageEngine never seems to test their products/releases. We as the Customers deploy it into our Corporate Environment and risk severe breaches cause of this.