Microsoft Authenticator

    When Microsoft Authenticator is enabled, users must enter a one-time passcode generated by the Microsoft Authenticator mobile app to verify their identity during MFA.

    How it works

    Microsoft Authenticator provides secure, possession-based verification using time-based one-time passwords (TOTP). The app generates a new six-digit code every 30 seconds on the user's mobile device, ensuring dynamic authentication that protects against phishing and other attacks.

    Prerequisite: Configuration can be done only via ADSelfService Plus' default admin account or a product technician account with Super Admin privileges.

    Configuration steps

    1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    2. From the Choose the Policy drop-down, select a policy.
      Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
    3. Click the Microsoft Authenticator section.
    4. Select a Username Pattern. This step is essential for creating globally unique identifiers in multi-domain environments. Without explicit domain differentiation, users with identical names across domains will experience enrollment and authentication conflicts.
    5. Click Save to enable the authenticator.

    Microsoft authenticator in ADSelfServicePlus

    Authenticator management

    After configuration, you can modify the Username Pattern by clicking Modify, or disable the authenticator at any time by clicking Modify > Remove Configuration.

    Modifying microsoft authenticator in ADSelfServicePlus

    Deploying the authenticator for MFA

    Once the authenticator is configured, you can deploy it as an MFA method to secure sensitive actions like password resets and unlocks, protected endpoints, and logging into ADSelfService Plus. Click on the respective links to learn how.

    Setting up user enrollment

    The last step is setting up the process for users to enroll for the MFA method and utilize it for identity verification.

    Administrators can choose from the following enrollment methods:

    • User self-enrollment: Users scan a QR code displayed in the ADSelfService Plus portal.
    • Bulk enrollment: Administrators can streamline deployment for multiple users.
    • Manual configuration: Users can manually enter the secret key provided by the admin.

    Click here for more information on the various enrollment options available in ADSelfService Plus for your users.

    Tip

    You can see how the enrollment settings you configure will be presented to your users, here.