Self-modification of the enrollment information by the end-user

Note:

1. Some enrollment information cannot be modified by the end-user. For example, the primary email address and mobile number used for email and SMS verification, answers to AD security questions, and custom hardware TOTP token. They have to reach the administrator for this.
   
2. Mobile-app based authenticators can only be modified via the mobile app. 

Modification steps

1. Log into ADSelfService Plus with end-user credentials.
   
2. Go to Enrollment. Under Enrolled Verification Methods, click on the edit icon next to the authenticator you wish to modify.
   
3. In the pop-up that opens, provide the information required to complete the modification. 
   
4. For example, in the case of Google Authenticator, click on Change Phone.
   
5. Select Scan QR code and scan the displayed QR code.
   
6. If that method fails, click Can't scan it? link. A set of numbers will be displayed.
   
7. Go to Google Authenticator app in your mobile. Select Manual entry and enter the displayed numbers in the app.
   
8. A one-time-passcode is generated in the app. Type that value in the Enter code field.
   
9. Click Next.
   

Disenrolling stranded end-users via the admin portal to let them enroll again

1. Log in to the ADSelfService Plus admin portal with administrator or operator privileges and navigate to Reports > MFA Reports > MFA Enrolled Users Report.
2. Specify the domain using the Select Domain option.
3. Use the Select OUs option to specify the OUs, if necessary.
4. Use the Enrollment Status drop-down to filter the entries based on whether the users are Enrolled or Partially Enrolled. Enrollment status is considered based on the fulfillment of the conditions below. If all of these conditions are satisfied, then the user is considered to be Enrolled. If not, the user is considered Partially Enrolled.
• Condition 1: The user has enrolled for all mandatory authenticators.
• Condition 2: The user has enrolled for the required number of authenticators set by administrators.
• Condition 3: If Security Questions and Answer is configured as the authenticator, the user has enrolled with all the mandatory questions and the correct number of questions.
5. You can narrow-down the results based on MFA methods using the Enrollment Type drop-down.
6. Click Generate.
   

From the MFA Enrolled Users Report, individual users can be disenrolled 

Choose the user(s) you want to disenroll by checking the box in the column to the left of the user, and then click Disenroll next to the search button. In the pop-up that opens, select the authenticators you want to disenroll the user(s) from and click OK. Click All Authenticators to disenroll the users from all authenticators.