MFA Enrolled Users Report

Enrolling for multi-factor authentication (MFA) in ManageEngine ADSelfService Plus lets users log in to their accounts and endpoints—Windows, macOS, or Linux machines, as well as RDPs, VPNs, etc.—securely, sign in to custom enterprise applications with SSO, as well as perform self-service password resets and account unlocks. As an admin, you should be taking appropriate measures to improve enrollment across your organization, which means it's important that you have a list of users who are enrolled for MFA and know which authenticators they have enrolled for.

The MFA Enrolled Users Report displays details of every enrollment action, including the username, time of enrollment, authenticator enrolled for, IP address, endpoint type, and who attempted enrollment (user or admin).

You can also disenroll users from MFA and generate backup codes for user accounts from this report.

Report filtering and generation :

  • Domain : Specify the domain using the Select Domain option
  • OU : Use the Add OUs option to specify OUs if necessary.
  • Enrollment status : Use the Enroll Status drop-down to filters the entries based on whether the users are Enrolled or Partially Enrolled. Enrollment status is considered based on below conditions satisfaction. If all the below conditons are satisifed, then user's enrollment treated as Enrolled . If not , Partially enrolled.
    • Condition 1: User should have enrolled for all mandatory authenticators.
    • Condition 2: User should have enrolled for required number of authenticators forced.
    • Condition 3: If Security question is configured as authenticator, then User should have enrolled with all the mandatory questions and number of questions.
  • Enrollment type : Filter the results based on the MFA methods using the Enrollment Type drop-down.
  • Then, click on Generate to generate the report.

Report customization



Sorting :

Click on any of the columns to view the report's entries in ascending order or descending order.

Searching :

Schedule Reports, Export As and More

Disenrolling the user

Disenrollment of a user involves partially or completely removing their enrollment information from ADSelfService Plus.

Users will not be able to verify their identity via the authenticators they have been disenrolled from. If a user is completely disenrolled, they must re-enroll for at least the minimum number of authentication methods set by the admin to perform MFA and self-service actions.

Users can be disenrolled via two methods:

  1. Manual disenrollment
  2. Bulk CSV disenrollment




You can use the Free up the selected user(s)' licenses option while disenrolling users from any of the authenticators they are enrolled for. Choosing this option will remove the chosen users from all enrolled authenticators and free up their ADSelfService Plus licenses. As a consequence, these users will become unlicensed and lose any administrator or technician privileges they may have had.

If they are later assigned ADSelfService Plus licenses again, their previous privileges will not be automatically reinstated and will need to be reassigned manually.

Customizing the report:

You can customize the report to include or exclude additional columns with information from AD attributes by clicking on the Add/Remove Columns icon at the far left of the navigation buttons.

Users' enrolled authenticators

Clicking View List in the Enrolled Users Report will display the list of authenticators a user has enrolled for.





Generating backup codes

Admins can generate a backup code for an enrolled user when the user's MFA device is not reachable or is lost. The user can use each backup code only once. To generate a backup code for a specific enrolled user:

Generating backup codes

Note:
  • If more than one technician creates backup codes for the same user, then the most recently generated code becomes valid and this code can only be used once.

Copyright © 2024, ZOHO Corp. All Rights Reserved.