How to enable Partial Enrollment for Active Directory users in ADSelfService Plus
Active Directory domain users need to complete enrollment with ADSelfService Plus before they can use the below listed features:
- Self-service password reset
- Self-service account unlock
- Endpoint multi-factor authentication
- ADSelfService Plus' logon multi-factor authentication
Only after enrollment, the product can verify users' identities using any or all of the enforced authentication techniques.
Enrollment status of users in ADSelfService Plus
If all the below conditions are satisfied, users are considered Enrolled, else, they are Partially Enrolled.
Condition 1: The user should have enrolled for all the mandatory authenticators.
Condition 2: The user should have enrolled for the required number of authenticators for enabling the password reset and account unlock features.
Condition 3: If Security Question and Answer is configured as the authenticator, the user should have enrolled by answering the required number of questions as well as all the mandatory questions.
Only the users who have satisfied all the above three conditions are deemed enrolled, and can perform self-service password reset and account unlock. For the partially enrolled users (say, users have enrolled for 2 out of 4 authentication methods), ADSelfService Plus allows them to initiate the self-service password reset/account unlock action and complete the enrollment during the identity verification stage.
How to enable partially enrolled users to perform password self-service
- Go to Configuration → Self-Service → Multi-factor Authentication.
- Click Advanced.
3. In the Reset/Unlock tab, unselect the Deny users from performing password reset/account unlock when partially enrolled option.
4. Click Save.
Important: Users cannot enroll for ADSelfService Plus mobile app-based authenticators during the identity verification stage.
New to ADSelfService Plus?
Related Articles
How to automatically enroll users with ADSelfService Plus?
Privileges The ADSelfService Plus server should have permission to access the external database server. SELECT privilege over the database table(s) for the user account that will be querying the external database. This should be an account in the ...Configuring high availability in ADSelfService Plus
ADSelfService Plus utilizes automatic failover to support high availability in case of system and product failures. Essentially, this means that when the ADSelfService Plus service on one machine fails, another instance of ADSelfService Plus running ...How to enable self-update for custom AD attributes in ADSelfService Plus
IT administrators might need to create custom attributes for a variety of reasons such as to route Active Directory based custom messages, application integration, or including specific flags on Active Directory objects. Before you can create a ...Free up unused ADSelfService Plus licenses
As employees enter and leave an organization, there may be a substantial amount of stale user accounts in Active Directory. Stale accounts should be removed from the purview of ADSelfService Plus so that the license assigned to them can be reclaimed ...Configuring SAML SSO for Active Directory Federation Services (AD FS) using ADSelfService Plus
The following guide elaborates on the steps to configure SSO for AD FS with ADSelfService Plus. This enables users to access all AD FS integrated applications by authenticating with ADSelfService Plus. Prerequisite Fetch the AD FS server federation ...