How do I enroll in ADSelfService Plus?
ADSelfService Plus authenticates your identity using the information you provide during the enrollment process. Enrollment is mandatory for:
- Multi-factor authentication (MFA) during machine, VPN, OWA, and enterprise application logins if the feature has been configured for these endpoints by the administrator.
- Self-service password reset and account unlock using the product.
- Offline MFA during local and remote Windows logins and User Account Control prompts if your administrator has configured the feature. Click here to know more about enrollment for offline MFA.
Note: Your admin might choose to enforce any or all the authentication techniques available in ADSelfService Plus. Based on that, you'll be required to provide the required information.
Enrollment using security question and answers
- In the ADSelfService Plus’ user portal, go to Enrollment tab → Security Questions.
- Any of these three windows will open.
- Mandatory security questions: Your administrator would have already configured the security questions. All you have to do is provide appropriate answers.
- Custom security questions: Configure your own security questions and provide appropriate answers.
- Select a question from the list: A set of security questions defined by your administrator will be displayed. You choose the questions using which you wish to be authenticated and provide appropriate answers.
- Click Next.
Enrollment using email address
Get verification code via email ID
- In the ADSelfService Plus’ user portal, go to the Enrollment tab → Email verification
- Enter your email ID.
- Verify the entered email ID by entering the verification code sent to your mail.
- Click Next.
Enrollment using Mobile numbers
Get verification code via mobile number
- In the ADSelfService Plus’ user portal, go to Enrollment tab → Mobile Verification
- Enter your mobile number.
- Verify the entered mobile number by entering the verification code sent to your device.
- Click Next.
Enrollment using Google Authenticator
Prerequisite:
- Download Google Authenticator app in your mobile device from the Play Store or the App Store.
Configuration steps:
- In the ADSelfService Plus’ user portal, go to Enrollment tab → Google Authenticator. A barcode will be displayed.
- Go to Google Authenticator app in your mobile. Select Scan barcode and scan the displayed barcode.
- If that method fails, click Can't scan it? link. A set of numbers will be displayed.
- Go to Google Authenticator app in your mobile. Select Manual entry → enter the displayed numbers in the app.
- A one-time-passcode is generated in the app. Type that value in the Enter code field.
- Click Next.
Enrollment using Azure AD MFA
To enable Azure AD MFA, enrollment is not required from the ADSelfService Plus portal. You must already be enrolled for authentication methods configured by your administrator in the Azure AD user portal. Contact your administrator if not.
Enrollment using DUO Security
- In the ADSelfService Plus’ user portal, go to Enrollment tab → DUO Security.
- Follow the steps given in the webpage.
- Click Next.
Enrollment using RSA SecurID
For RSA Authentication, enrollment is not required from ADSelfService Plus portal. Please contact your administrator for the RSA hardware token that is mapped to your account.
Enrollment using RADIUS Authentication
For RADIUS Authentication, enrollment is not required from ADSelfService Plus portal. Please contact your administrator for the RADIUS password that is mapped to your account.
Enrollment using SAML Authentication
For SAML Authentication, enrollment is not required from ADSelfService Plus portal. Please contact your administrator to receive the identity provider credentials that is mapped to your account.
Enrollment using AD Security Questions
For utilizing AD Security Questions method of authentication, you are not required to enroll from ADSelfService Plus portal. If you are unsure about the answers for the displayed AD security questions, please contact your administrator.
Enrollment using Push Notification Authentication
- Log in to the ADSelfService Plus mobile app → click Enrollment → Push Authentication.
- Follow the steps displayed in the webpage.
Enrollment using Fingerprint Authentication
- Log in to the ADSelfService Plus mobile app → click Enrollment → Fingerprint Authentication.
- Follow the steps displayed in the webpage.
Enrollment using QR code Authentication
- Log in to the ADSelfService Plus mobile app → click Enrollment → QR code Authentication.
- Follow the steps displayed in the webpage.
Enrollment using TOTP Authentication
- Log in to the ADSelfService Plus mobile app → click Enrollment → TOTP Authentication.
- Follow the steps displayed in the webpage.
Enrollment using TOTP Microsoft Authenticator
Prerequisite:
Download the Microsoft Authenticator app on your mobile device from the Google Play Store or the Apple App Store.
Configuration steps:
- Log in to the ADSelfService Plus portal with admin credentials.
- Go to Enrollment → Microsoft Authenticator. A barcode will be displayed.
- Open Microsoft Authenticator app and select Scan barcode.
- Scan the displayed barcode. A one-time-passcode is generated in the app.
- Switch to the user portal and type the one-time-passcode in the Enter code field.
- Click Verify Code.
Can't scan the code?
- If your camera is unable to capture the QR code, you can manually add information for the Microsoft Authenticator app.
- Open the Microsoft Authenticator app in your mobile device.
- Select Add account → Other (Google, Facebook, etc.) > OR ENTER CODE MANUALLY. Enter the Account name (something to identify your account, say, ADSSP) and type the ecret Key displayed. One-time passcode is generated.
- Switch to the user portal and type the one-time passcode in the Enter code field.
- Click Verify Code.
Microsoft Authenticator
Prerequisite
Download the Microsoft Authenticator app on your mobile device from the Google Play Store or the Apple App Store.
Configuration steps:
- Log in to the ADSelfService Plus portal with admin credentials.
- Go to Enrollment → Microsoft Authenticator. A QR code will be displayed.
- Open Microsoft Authenticator app and select Scan QR code.
- Scan the displayed QR code. A one-time-passcode is generated in the app.
- Switch to the user portal and type the one-time-passcode in the Enter code field.
- Click Verify Code.
Can't scan the code?
- If your camera is unable to capture the QR code, you can manually add information for the Microsoft Authenticator app.
- Open the Microsoft Authenticator app in your mobile device.
- Select Add account → Other (Google, Facebook, etc.) > OR ENTER CODE MANUALLY. Enter the Account name (something to identify your account, say, SelfService App) and type the Secret Key displayed. One-time passcode is generated.
- Switch to the user portal and type the one-time passcode in the Enter code field.
- Click Verify Code.
Enrollment using Zoho OneAuth TOTP Authentication
Note: Install Zoho OneAuth in your mobile device. You can download it from the Google Play Store or the Apple App Store.
- In the ADSelfService Plus’ user portal, go to Enrollment > Zoho OneAuth TOTP. A QR code will be displayed.
- Open the Zoho OneAuth app on your phone. Go to Authenticator ( ) > OTP Authenticator.
- Click the + and select Scan the QR secret.
- Scan the QR code displayed on the ADSelfService Plus user registration screen.
- If this method fails, click the Can't scan the QR code? link. A secret key will be displayed.
- Go to the Zoho OneAuth app on your phone. Select Enter secret manually and enter the secret key in the app.
- A one-time-passcode is generated in the app. Type that value in the Enter the TOTP field in the ADSelfService Plus user registration screen.
- Click Next.
Backup verification codes
Backup verification codes are 12-character codes that you can generate and use to verify your identity. Backup codes come in sets of five. You can use these codes if you're unable to use your enrolled MFA methods for authentication or you don't have access to your MFA device. Each code can be used only once for verifying your identity during machine, VPN, and ADSelfService Plus logins or for performing any self-service actions.
Backup code generation:
The MFA backup codes section can be accessed from the:
- Enrollment tab: In the ADSelfService Plus user portal, go to Enrollment. Under MFA Recovery Mode, if generating backup codes for the first time, select Generate One-Time Use Backup Codes. If you have generated backup codes before, select the edit icon to view the backup codes or generate new codes.
- Profile icon: If the Enrollment tab is not available in the ADSelfService Plus user portal, click the profile icon and select MFA Recovery from the profile menu that appears.
- The Generated Backup Verification Codes section will appear. Here, five MFA backup verification codes will be displayed. If you require a new set of codes,click Generate New Codes. The previously displayed set of codes will be invalidated.
- Choose what to do with the generated codes:
- Save as Text: Download the codes as a text file.
- Send Email: Email the backup codes to a specific email address.
- Print: Print a hard copy of the codes.
- Click Close.
Offline MFA
Offline MFA ensures that your identity is authenticated and the access to your machine is secured even when the ADSelfService Plus server is unreachable. ADSelfService Plus supports offline MFA during local and remote Windows logins and User Account Control prompts. It uses the following authenticators:
- Google Authenticator
- Microsoft Authenticator
- Custom TOTP authenticator
- Zoho OneAuth TOTP
How do I enroll a particular machine for offline MFA?
Once you successfully complete MFA when connected to the ADSelfService Plus server, based on admin configuration, you will be prompted to enroll for any authenticators required for offline MFA. You will then either be automatically enrolled or prompted to enroll your machine for offline MFA as shown in this image:
Click Enroll & Continue to enroll your machine for offline MFA and access your machine. Your machine is now successfully enrolled for offline MFA. The next time the ADSelfService Plus server is unreachable, you can verify your identity using offline MFA and continue using your machine.
How to disenroll from offline MFA?
If you do not want to continue using offline MFA in a machine, you can revoke the enrollment information. For this:
- Log in to the ADSelfService Plus user portal.
- Go to the Enrollment tab. Click on Manage.
- Click on Offline MFA - Manage Enrolled Users. Here, click on Disenroll for the machine you want to revoke your offline MFA enrollment from.
- You have now successfully disenrolled the particular machine from offline MFA. Repeat step 4 for all the machines you want to disenroll.
Note: The enrollment information will be erased only after this particular machine is connected back to the ADSelfService Plus server during online authentication.