How to enable Partial Enrollment for Active Directory users in ADSelfService Plus

How to enable Partial Enrollment for Active Directory users in ADSelfService Plus

Active Directory domain users need to complete enrollment with ADSelfService Plus before they can use the below listed features:
  1. Self-service password reset
  2. Self-service account unlock
  3. Endpoint multi-factor authentication
  4. ADSelfService Plus' logon multi-factor authentication
Only after enrollment, the product can verify users' identities using any or all of the enforced authentication techniques.

Enrollment status of users in ADSelfService Plus

If all the below conditions are satisfied, users are considered Enrolled, else, they are Partially Enrolled.

Condition 1: The user should have enrolled for all the mandatory authenticators.
onboarding-using-partial-enrollment-1

Condition 2: The user should have enrolled for the required number of authenticators for enabling the password reset and account unlock features.
onboarding-using-partial-enrollment-2

Condition 3: If Security Question and Answer is configured as the authenticator, the user should have enrolled by answering the required number of questions as well as all the mandatory questions.
onboarding-using-partial-enrollment-3

Only the users who have satisfied all the above three conditions are deemed enrolled, and can perform self-service password reset and account unlock. For the partially enrolled users (say, users have enrolled for 2 out of 4 authentication methods), ADSelfService Plus allows them to initiate the self-service password reset/account unlock action and complete the enrollment during the identity verification stage.

How to enable partially enrolled users to perform password self-service

  1. Go to Configuration Self-Service Multi-factor Authentication.
  2. Click Advanced.
onboarding-using-partial-enrollment-4
      3. In the Reset/Unlock tab, unselect the Deny users from performing password reset/account unlock when partially enrolled option.
      4. Click Save.
Important: Users cannot enroll for ADSelfService Plus mobile app-based authenticators during the identity verification stage.




                  New to ADSelfService Plus?

                    • Related Articles

                    • Multi-factor authentication techniques in ADSelfService Plus

                      Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...
                    • How to automatically enroll users with ADSelfService Plus using an external database?

                      Privileges The ADSelfService Plus server should have permission to access the external database server. SELECT privilege over the database table(s) for the user account that will be querying the external database. This should be an account in the ...
                    • Configuring high availability in ADSelfService Plus

                      ADSelfService Plus utilizes automatic failover to support high availability in case of system and product failures. Essentially, this means that when the ADSelfService Plus service on one machine fails, another instance of ADSelfService Plus running ...
                    • Free up unused ADSelfService Plus licenses

                      As employees enter and leave an organization, there may be a substantial amount of stale user accounts in Active Directory. Stale accounts should be removed from the purview of ADSelfService Plus so that the license assigned to them can be reclaimed ...
                    • Encryption and data storage in ADSelfService Plus database

                      Encryption in the ADSelfService Plus database ADSelfService Plus' database uses the following encryption methods to store sensitive data: Database Encryption method PostgreSQL AES-256-CBC Microsoft SQL AES-256-CBC The following sensitive information ...