Technician

    Overview

    Technicians are end users with specific privileges that let them perform product-related administrative tasks in ADSelfService Plus. Each technician needs an ADSelfService Plus license to log in and perform administrative tasks. The Technician Settings page lists your technicians and their license status, and lets you create technicians, assign roles and permissions, and configure login MFA and password policy for technicians who use product authentication. You can access it under Configuration > Administrative Tools > Technician.

    How it works

    A technician is a directory user or a product account granted administrative privileges and a license. There are two technician types and two built-in roles:

    • Domain-based Technician (called Tenant-based Technician in Microsoft Entra ID mode): Has an account in the directory and controls only the domain or tenant they belong to. They log in with their Windows or directory credentials.
    • Product-based Technician: An account created in ADSelfService Plus that authenticates with product credentials and controls all configured domains.
    • Super Admin: Has full control over the entire application by default.
    • Operator: Can audit operations and view reports by default.
    Important: When a product-based Super Admin changes a setting that spans multiple domains or policies, the change is replicated across all of them. Have product-based technicians configure multi-domain or multi-policy settings only when necessary.

    Configuration instructions

    Reading the Technician Settings page

    The page lists each technician with the following columns:

    ColumnWhat it shows
    ActionsControls to edit or remove the technician.
    Logon nameThe technician's login name.
    Delegate RoleThe role assigned to the technician, such as Super Admin or Operator, and whether management is delegated to them.
    Domain Name / Tenant NameThe directory the technician belongs to. The header is Domain Name in Active Directory mode and Tenant Name in Microsoft Entra ID mode. Product-based technicians show ADSelfService Plus Authentication.
    Object TypeWhether the entry is a User or a group.
    Licensing StatusWhether the technician holds an ADSelfService Plus license, for example Active.
    Technician

    Assigning permissions to roles

    1. On the Technician page, click Role Settings.
    2. Select the role you want from the drop-down.
    3. Assign or remove the displayed permissions for that role.
    4. Click Save.

    Creating a technician

    1. Go to Configuration > Administrative Tools > Technician.
    2. Click Add New Technician.
    3. From the Technician Type drop-down, choose Domain-based Technician (or Tenant-based Technician in Microsoft Entra ID mode) or Product-based Technician.
    4. Select the Role, the domain or tenant, and the Users or Groups from the respective drop-downs.
    5. To let the technician manage local users, select Delegate management of localuser.domain.
    6. For a Product-based Technician, enter the login credentials for the account.
    7. Click Add.
    Important: A Domain-based Technician logs in with their Windows credentials. A Product-based Technician has no AD account; it exists only in ADSelfService Plus and uses the credentials you set.

    Advanced settings: Login MFA and password policy

    Click Advanced in the bottom-right corner to configure settings for technicians who use product authentication. The Advanced page has three tabs:

    TabWhat you configure
    Login MFAEnable MFA at login for product technicians, choose how many authentication factors to require and which authenticators to use, and set options such as hiding CAPTCHA during MFA, the idle-time limit, the Trust this browser expiry, and MFA backup verification codes.
    Password PolicyEnforce password rules for product technicians: restrict characters, repetition, patterns (including a regex pattern), and length; enable the password strength analyzer; and check passwords against the Have I Been Pwned integration.
    GeneralHide the CAPTCHA on the change-password page, prevent copy-pasting into password fields, enable the password strength analyzer, and set Block Users Who Fail Identity Verification (the maximum invalid attempts within a time window, and how long to block, including blocking until an admin unblocks).
    Important: Login MFA settings apply to all product technicians, including the default administrator account. An account without backup codes can be locked out on MFA failure, so enable Enable MFA Backup Verification Codes before enforcing login MFA.

    Tips

    • Assign the Operator role to technicians who only need to view reports and audit operations, and reserve Super Admin for full administrators.
    • Give each technician an ADSelfService Plus license; the Licensing Status column shows who is licensed.
    • Enable MFA backup verification codes before turning on login MFA, so an MFA failure cannot lock out the default administrator.
    • Have product-based Super Admins make multi-domain or multi-policy changes only when necessary, because those changes replicate across all affected domains.