Configuring push notification for Active Directory-based actions
Push notification is a method of authentication which involves users receiving an alert on their mobile devices. When push notification is configured as a multi-factor authentication (MFA) method, users need to have a push notification app installed on their mobile devices. During authentication, they provide their account credentials following which they receive a push notification via the app. When they accept the notification, they are authenticated. Push notification is one of the more secure methods of authentication since it does not involve entering passcodes. Also, with push notification, users have the option of denying the push notification if they have not initiated the authentication process and can take action against the attempted breach. Push notifications are also quick as they only involve a tap of a finger.
Active Directory-based user actions like domain logins, password changes, self-service password resets and self-service account unlocks are sensitive activities that require more than the default username and password (or just username in case of password resets!). MFA ensures that users verify their identity at multiple levels, using methods like push notifications that do not involve credentials. This helps prevent attacks like phishing and brute force.
If admins do not prefer employing push notification alone and need to include additional methods of authentication like SAML authentication, and fingerprint authentication, then ADSelfService Plus is the right solution. ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, in a one-stop product that includes self-service password resets and account unlocks that can be secured by any of the 15 supported MFA methods. Some of them are push notification, Google Authenticator, YubiKey Authenticator, and RSA SecurID.
Besides Active Directory self-service actions, ADSelfService Plus also employs MFA during:
- Windows, macOS, and Linux logins.
- Enterprise application logins through single sign-on (SSO).
- Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.
Push notification for MFA in ADSelfService Plus can be enabled with minimal steps
- Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
- From the Choose the Policy drop-down, select a policy.
Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy. Only users belonging to OUs and groups included in the policy can perform the self-service feature(s) selected. - Click the Push Notification Authentication section.
- Select Enable Push Notification Authentication.
Enable push notification for Active Directory password resets
- Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Reset/Unlock. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select Push Notification Authentication along with the other authentication techniques to be used.
- Click Save Settings.
Enable push notification for Active Directory domain logins
- Go to Configuration > Self-Service > Multi-factor Authentication > MFA for Endpoints.
- Select a policy from the Choose the Policy drop-down. This will determine which authentication methods are enabled for which sets of users.
- In the MFA for Machine Login section, check the box to enable MFA for Machine Login and select the number of authentication factors to be prompted. Select the Push Notification Authentication and other required authenticators from the drop-down.
- Click Save Settings.
New to ADSelfService Plus?
Related Articles
Configuring QR code-based authentication for Active Directory-based actions
QR code-based authentication is a type of multi-factor authentication method that involves scanning a QR code with an app in order to verify one's identity. When authenticating into a service using MFA, users need to provide their account credentials ...Configuring RADIUS authentication for Active Directory-based actions
Traditional logins to resources on an organizational network involve only a username and password. However, if all the data breaches in recent years teach us anything, it is that they are not sufficient. Multi-factor authentication (MFA) has become ...Configuring Microsoft Authenticator for Active Directory-based actions
Microsoft Authenticator is an authentication method developed by Google that uses a time-based one-time-passcode (TOTP) in order to verify users' identities. It is often used as one of the multi-factor authentication (MFA) methods along with others ...Configuring TOTP authentication for Active Directory-based actions
Time-based one-time-password or TOTP is one of the most common methods used in multi-factor authentication (MFA). With this method, users are required to enter a passcode within a specific time from its generation. When users prove their identity in ...How to enable offline MFA in ADSelfService Plus
ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...