MFA Enrolled Users Report

    Enrolling for MFA in ManageEngine ADSelfService Plus lets users log in to their accounts and endpoints—Windows, macOS, or Linux machines, as well as RDPs, VPNs, etc. securely, sign in to custom enterprise applications with SSO, as well as perform self-service password resets and account unlocks. This report provides administrators with comprehensive visibility into MFA enrollment status across the organization, enabling effective management of authentication security and user enrollment campaigns.

    • Report overview
    • Generating the MFA Enrolled Users Report
    • Enrollment status conditions
    • Customizing the MFA Enrolled Users Report
    • Managing User Enrollment
    • Automating the MFA Enrolled Users Report
    • Exporting the MFA Enrolled Users Report
    • Tips

    How it works

    The MFA Enrolled Users Report displays details of every enrollment action, including the username, time of enrollment, authenticator enrolled for, IP address, endpoint type, and who attempted enrollment (user or admin). It tracks enrollment status based on policy requirements, distinguishing between fully enrolled and partially enrolled users, and provides administrative controls for managing user authentication methods. You can also disenroll users from MFA and generate backup codes for user accounts from this report.

    Prerequisite: You must have administrator or technician-level access to the ADSelfService Plus portal to generate and view reports.

    Generating the MFA Enrolled Users Report

    To generate the MFA Enrolled Users Report:

    MFA Enrolled Users Report
    1. Log in to the ADSelfService Plus portal withdefault admin, super admin or operator privileges.
    2. Navigate to Reports > MFA Reports > MFA Enrolled Users Report.
    3. Specify the domain using the Select Domain option.
    4. Use the Select OUs option to specify the OUs, if necessary.
    5. Use the Enrollment Status drop-down to filter the entries based on whether the users are Enrolled or Partially Enrolled.
    6. Click Generate.

    Enrollment status conditions

    A user is considered fully Enrolled when all these conditions are satisfied:

    • Condition 1: The user has enrolled for all mandatory authenticators.
    • Condition 2: The user has enrolled for the required number of authenticators set by administrators.
    • Condition 3: If Security Questions and Answer is configured as the authenticator, the user has enrolled with all the mandatory questions and the correct number of questions.

    Users not meeting any of these conditions are classified as Partially Enrolled.

    Customizing the MFA Enrolled Users Report

    • Adding or removing columns: To add or remove columns, click on the Add/Remove Columns [ ] option at the far right of the report. In the Select the columns to be displayed pop-up that appears, select the required fields under Available Columns and click on the right arrow ( >> ) to move it to the Selected Columns. To remove columns, select the unused fields under Selected Columns and click on the left arrow ( << ) to move it to Available Columns.
    MFA non-enrolled users report in ADSelfService Plus
    • Ordering the columns: The columns' positions can also be altered by selecting a value under Selected Columns and using the Up and Down options to change its position.

    Sorting

    Click on any of the column headers to view the report's entries in ascending or descending order.

    Searching

    • Click on the search icon [ ] in order to search for specific data in the report.
    • Specific users can be searched for using attributes such as their sAMAccountName, or Display Name.
    • Searching happens using the criteria ' contains '. For example, if the username column is searched for the word " jack " , then all usernames containing the sequence " jack " will be displayed as a result.

    Managing user enrollment

    Disenrolling Users

    Disenrollment of a user involves partially or completely removing their enrollment information from ADSelfService Plus. Users will not be able to verify their identity via the authenticators they have been disenrolled from.

    Customizing MFA enrolled users report in ADSelfService Plus

    Manual Disenrollment:

    1. Choose the user(s) you want to disenroll by checking the box in the column to the left of the user.
    2. Click Disenroll next to the search button.
      MFA Enrolled Users Report
    1. In the pop-up that opens, select the authenticators you want to disenroll the user(s) from and click OK.
    2. Click All Authenticators to disenroll the users from all authenticators.

    Bulk CSV Disenrollment:

    1. Click Bulk Disenroll on the right side of the report header.
    2. In the pop-up that opens, upload a CSV file containing the SAM Account Name, Mobile Number, Mail ID, Secondary E-mail ID, or Secondary Mobile number of the users to disenroll.
    MFA Enrolled Users Report
    1. Select the authenticators you want to disenroll the user(s) from, and click OK.

    License Management: You can use the Free up the selected user(s)' licenses option while disenrolling users. Choosing this option will remove the chosen users from all enrolled authenticators and free up their ADSelfService Plus licenses. These users will become unlicensed and lose any administrator or technician privileges.

    Generating Backup Codes

    Admins can generate a backup code for an enrolled user when the user's MFA device is not reachable. Each backup code can be used only once.

    1. Go to the MFA Backup Code column of the MFA Enrolled Users Report.
    2. Click Generate Now for the specific user.
    3. In the Generate MFA Backup Code section, review the user details (SAM Account Name, Domain Name, Generated time).
    4. Use the Expire (Mins) field to specify the number of minutes after which the code will expire.
    5. Click the copy icon next to the backup code to copy it.
    6. Click Close.

    Note: If multiple technicians create backup codes for the same user, the most recently generated code becomes valid and can only be used once. User-generated backup codes remain valid until used.

    Viewing User Authenticators

    Clicking View List in the MFA Enrolled Users Report will display the complete list of authenticators a user has enrolled for.

    Automating the MFA Enrolled Users report

    • The Schedule Reports option can be used to schedule the generation of reports at specified intervals, and automatically email them to administrators or specific email addresses. Learn to schedule reports here.

    Exporting the MFA Enrolled Users report

    • The Export As option at the right corner of the page helps export the report in CSV, PDF, XLS, XLSX, HTML and CSVDE formats.

    Tips

    • The More option at the right corner of the page lists the Printable View, Send Mail, and Export Settings options.
      • The Printable View option can be used to preview and print the report.
      • The Send Mail option can be used to mail the report to the desired email addresses.
      • Additionally, you can configure custom Export Settings, such as a personalized title for the report and a header logo that you may wish to display on each page.
    • Manage backup codes proactively: Generate backup codes for users before they travel to areas with poor connectivity or before critical business events, setting appropriate expiration times (e.g., 1440 minutes for 24 hours) to balance accessibility with security.