How to configure MFA using Zoho OneAuth in ADSelfService Plus

How to enable Zoho OneAuth TOTP for MFA?

In enterprise networks, user identity verification is no longer carried out simply through usernames and passwords. This is because without additional authentication layers, i.e., multi-factor authentication, enterprise networks and resources become easy prey to credential-based attacks. This is why, in the current technological landscape, multi-factor authentication has become a mandatory part of every organization's authentication system.

A time-based one-time-passcode (TOTP) is a prevalent authentication method used for MFA. Zoho OneAuth, a multi-factor authenticator solution, offers a mobile-based TOTP authenticator for social and enterprise accounts. When implemented, the Zoho OneAuth OTP authenticator generates verification codes every 30 seconds, and users will have to enter the verification code within that time to complete authentication. In combination with credentials and other authentication methods such as biometrics, the TOTP authenticator proves to be a viable barrier against unauthenticated access.

Achieve holistic enterprise MFA with Zoho OneAuth

ManageEngine ADSelfService Plus supports the Zoho OneAuth OTP authenticator as a method to implement MFA during enterprise application logins along with:

  • Local and remote Windows, macOS, and Linux logins.
  • Microsoft Outlook Web Access and Exchange logins.
  • Self-service password reset and account unlock.

Furthermore, implementing enterprise MFA with ADSelfService Plus provides the following benefits:

  • Granular configuration: Implement MFA using particular authenticators for users belonging to specific groups, OUs, and domains.
  • Adaptive MFA: The solution offers provisions to heighten, relax, or skip MFA during authentication based on IP address, time of access, geolocation, and device used.
  • Detailed audit reports: Gain comprehensive insights on user activities such as identity verification failures and login attempts, and find users with weak passwords.
  • Ensure 100% enrollment: Automate user enrollment by importing users' domain information through CSV files or force enrollment using login scripts.

How to configure MFA using Zoho OneAuth in ADSelfService Plus

Prerequisites:

  1. SSL must be enabled: Log in to the ADSelfService Plus web console with admin credentials. Navigate to Admin → Product Settings → Connection. Select the ADSelfService Plus Port [https] option. Refer to this guide to learn how to apply a SSL certificate and enable HTTPS.
  2. Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.
  3. Endpoint MFA: Your ADSelfService Plus license must include Endpoint MFA. Visit the store to purchase the feature. (Applicable to MFA for machine and OWA logins)
  4. Install the ADSelfService Plus login agentClick here to install the ADSelfService Plus login agent for Windows, macOS, and Linux on the machines where you want to enable MFA. (Applicable to MFA for machine logins)

Steps to configure:

  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
  2. From the Choose the Policy drop-down, select a policy.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups and choose the OUs or groups to which you want to apply the policy. You need to select at least one self-service feature. Finally, click Save Policy.
  3. Click Zoho OneAuth TOTP.
  4. Click the Enable Zoho OneAuth TOTP button.

    how-to-configure-zoho-oneauth-otp-authenticator

Enable Zoho OneAuth TOTP-based MFA for enterprise application logins

  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Applications.
  2. Select a policy from the Choose the Policy drop-down.
  3. In the MFA for Cloud Applications section, check the box next to Enable __ authentication factors, select the number of authentication methods, and select Zoho OneAuth TOTP along with any other configured authenticators from the drop-down.
  4. Click on the asterisk (*) next to the authentication method to set it as mandatory. You can also reorder the authenticators.
  5. Click Save Settings.

Enable Zoho OneAuth TOTP-based MFA for OWA

Step 1: Configuring MFA for OWA
  1. Go to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.
  2. Click the Choose the Policy drop-down and select a policy. This will determine which authentication methods are enabled for which sets of users.
  3. In the MFA for OWA Login section, check the box next to Enable __ authentication factors, select the number of authentication methods, and select Zoho OneAuth TOTP along with any other configured authenticators from the drop-down.
  4. Click on the asterisk (*) next to the authentication method to set it as mandatory. You can also reorder the authenticators.
  5. Click Save Settings.

Step 2: Install the ADSelfService Plus MFA Connector

The Internet Information Services MFA extension must be installed in Exchanger Server to enable MFA for OWA and Exchange admin center logins. It triggers the request for the completion of other authentication factors after the primary password authentication is successful.

  1. Go to Configuration Self-ServiceMulti-factor AuthenticationMFA for Endpoints.
  2. Navigate to MFA for OWA and click on the help icon.
  3. Download the ADSelfService Plus MFA Connector from the pop-up that appears.
  4. Copy the extension file (AdsspOWAIISModule.zip) to the Windows server that you have configured as the Exchange server. Extract the ZIP file’s content and save it in any location.
  5. Open PowerShell (x64) as an administrator and navigate to the folder where the content of the extension files is located.
  6. Execute the following command: PS C:\> .\setupIISMFAModule.ps1 Install




                  New to ADManager Plus?

                    New to ADSelfService Plus?

                      • Related Articles

                      • How to enable offline MFA in ADSelfService Plus

                        ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...
                      • Common VPN and RADIUS-based endpoints and the ADSelfService Plus authenticators they support

                        ADSelfService Plus supports the following types of authenticators for VPN MFA: One-way authenticators Push Notification Authentication Fingerprint/Face ID Authentication These authenticators are automatically applicable for all the endpoints ...
                      • How to enable multi-factor authentication for RDP

                        Generally, remote employees use Microsoft Remote Desktop Protocol (RDP) to connect to their work devices from an external network, using only a password to authenticate their devices. This makes RDP-based access highly vulnerable to password-based ...
                      • Streamline the MFA process using backup verification codes

                        What are backup verification codes? ManageEngine ADSelfService Plus, an identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, offers MFA for logins into multiple enterprise ...
                      • ADSelfService Plus product startup issues

                        What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...