Advanced Settings

The Advanced tab in Multi-Factor Authentication contains important settings that you can configure to further control how the MFA process for password reset, ADSelfService Plus login, and endpoint logins behave.

Reset/Unlock MFA

• Password Reset/Unlock Account idle time limit: Enabling this setting will set a time limit for how long a user can take to finish identity verification. Say, if you set this to 5 minutes, users have to enter their SMS verification code or approve the push notification within 5 minutes.
• Deny users from performing password reset/account unlock when partially enrolled: When this option is selected, end users who've partially completed the enrollment process (say, enrolled for 2 out of 4 authentication methods) will be not allowed to reset password and unlock account.

ADSelfService Plus Login MFA

• Enable Passwordless Login: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.
Note: Please note that 'Trust this browser' setting will be disabled when Passwordless Login is enabled as the user to avoid security loopholes. When Passwordless Login is enforced, the user has to authenticate each time they attempt to access the application.
• ADSelfService Plus login MFA process idle time is __: Enabling this setting will set a time limit for users to complete the multi-factor authentication (MFA) process.
• Keep the "Trust this browser" option selected by default: When this option is enabled, the "Trust this browser" checkbox will be selected by default in the MFA verification screen.
• Expire trusted devices after ___ days: When this option is enabled, users will not be asked to go through MFA for the specified days when they log into ADSelfService Plus using trusted devices.

Cloud Application Login MFA

• Enable Passwordless Login: This setting allows users to access applications and the self-service portal without a password. Please refer to this page for more information.
Note: Please note that 'Trust this browser' setting will be disabled when Passwordless Login is enabled as the user to avoid security loopholes. When Passwordless Login is enforced, the user has to authenticate each time they attempt to access the application.
• SSO-enabled applications login MFA process idle time limit is __ : Enabling this setting will set a time limit for users to finish the MFA process.
• Skip MFA and proceed with enrollment if the user is not enrolled: When this setting is enabled, users will not be forced to go through MFA when they log in for the first time. Instead they will be asked to go through enrollment.
• Keep a browser trusted for ___ day(s): When this option is enabled, users will not be asked to go through MFA for the specified number of days when they log in to ADSelfService Plus using trusted browsers.
• Keep the "Trust this browser" option selected by default: When this option is enabled, the "Trust this browser" checkbox will be selected by default in the MFA verification screen.

Endpoint Settings

Machine Login MFA

• Machine Login MFA process idle time limit is _ mins: Enabling this setting will set a time limit for the authentication during Windows, macOS, or Linux login. For example, if you set the time limit to 3 minutes, users have to complete authentication using the methods enabled, within 3 minutes.
• Skip MFA when the ADSelfService Plus server is down or unreachable: Enable this option if you do not want users to be left stranded on the Windows, macOS, or Linux login screens during the MFA process when the ADSelfService Plus server is down or unreachable. However, be aware that enabling this option means renouncing the advanced security layer of MFA when the ADSelfService Plus server is down or unreachable, which is not recommended. To avoid such circumstances, deploy ADSelfService Plus with High Availability or Load Balancing.
• Keep a machine trusted for ___ days: When this setting is enabled, users who have logged in once using the machine login MFA can skip going through MFA authentication during subsequent logins. Enabling this setting will help users avoid going through the MFA process every time they lock and unlock their machines. The trusted machine's status will be revoked after the specified number of days.
• Keep the Trust this machine option selected by default: By enabling this setting, you can keep the box next to Trust this machine checked on the MFA authentication screen by default.

MFA for OWA Login

• OWA login MFA process can be idle for __ mins: When this setting is enabled, the user session will expire if the user is idle for the specified time interval.
• Skip MFA when the ADSelfService Plus server is down or unreachable: Enable this option if you want to avoid situations where the users can't access Outlook Web Access (OWA) or Exchange admin center when the ADSelfService Plus server is down or unreachable. However, be aware that enabling this option means renouncing the advanced security layer of MFA when the ADSelfService Plus server is down or unreachable, which is not recommended. To avoid such circumstances, deploy ADSelfService Plus with High Availability or Load Balancing.
• Keep the "Trust this browser" option selected by default: By enabling this setting, you can keep the box next to "Trust this browser" checked on the MFA authentication screen by default.
• Expire trust for a browser after __ days: When this setting is enabled, users who have logged in once using MFA for OWA can skip going through MFA authentication during subsequent logins. Enabling this setting will help users avoid going through the MFA process every time they log in to OWA or the Exchange admin center from the same browser. The trusted browser's status will be revoked after the specified number of days.

VPN Login MFA

• Keep the VPN MFA session valid for __ minutes: Enabling this setting will set a time limit for the second-factor authentication during VPN login. Say, if you set this to 2 minutes, users have to enter the code or approve the notification, as per the authentication method enabled, within 2 minutes.
Note:If your VPN server allow you to configure the RADIUS timeout limit, set it to a value that is greater than the session time limit you configure in this setting.
• Skip MFA when ADSelfService Plus server is down or unreachable: Enable this option if you do not want users to be lefts stranded at the login screen during VPN login when ADSelfService Plus server is down or unreachable.
• Skip MFA when the user is not enrolled for the required authenticators: Enable this option to allow users, who have not enrolled for the authentication methods enabled for VPN login, to skip MFA.

Q&A Settings

• Display _ Questions Out Of (Available list of Security Questions) at random. With this option, you can define the number of questions to be displayed to the end user. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under Security Question and Answer Settings.
• Display _ AD Security Questions Out Of (Available list of AD Security Questions) at random. Select this option to specify the number of AD Security Questions to be asked during the identity verification process. The questions will be randomly selected by ADSelfService Plus from the available list of security questions configured under AD Security Questions Settings.
• Display Security Questions one by one. Checking this option will display the security questions one by one (i.e., one question per page).
• Display all Security Questions. Selecting this option will display all the security questions on a single page.
• Verify security question(s) answer as case sensitive. Selecting this option force case sensitive for answer provided by users.
• Hide security answer during authentication. Selecting this option will hide security answers by default.
• Prevent a user from providing their username as answer. This will prevent users from using their username as an answer.
• Prevent a user from providing the same answer to multiple questions. This will prevent users from providing the same answer to multiple questions.
• Prevent a user from using any word of the question in their answers. This will prevent users from copying words in the questions as answers.
• Force users to use only English characters (a-z), numbers (0-9), and symbols. This will make sure that users use only alphanumeric characters and symbols in their answers.
• Store security answers using reversible encryption. Selecting this option will store the security answers as plain text in ADSelfService Plus database. The answers can be viewed using the Security Questions and Answers report.
• Store security answers using ___ algorithm. Select this option to encrypt and store the answers to security questions using MD5 or SHA-512 algorithm.

Verification Code Settings

Mail/Mobile Attributes

• Select the attribute you want to view from the Select Type dropdown.
• Click Add Attribute to add a new attribute that contains the users' email address or mobile number.

Secondary Email/Mobile Number

• Allow or Block email addresses from the following domains ___ : Use this option to block or allow particular email domains. If you choose Block, users will be able to add email addresses from any domain apart from the listed domain(s). Choosing Allow will ensure that only trusted email service providers are utilized by the users to receive verification codes. You can leave this field empty to allow any domain after choosing "Allow".
• Allow or block the following mobile number formats ___ : Use this option to block or allow particular mobile number formats. If you choose Block, users will be able to add mobile numbers in any format apart from the listed format(s). Choosing Allow will ensure that users enter mobile numbers only in the particular format(s) configured.You can leave this field empty to allow any format after choosing "Allow".
Note:If you do not want users to register secondary email address and mobile number, disable these setting:
• Allow or Block email addresses from the following domains ___
• Allow or block the following mobile number formats ___
• Choose enforcement: Use this setting to configure whether adding secondary email addresses and mobile numbers are mandatory or optional for the users. The available options are:
• Make this registration optional.
• Force users to register email address.
• Force users to register mobile number.
• Force users to register both email address and mobile number.

Others

• Set verification code length to ___ digits: Use this setting to set the number of digits in the verification code.
• Show 'Select Email ID/Mobile No.' in the mail/mobile dropdown list as default value: Enabling this option will show Select Email ID/Mobile No. as the default value in the email/mobile drop-down during identity verification.
• Partially hide Email ID/Mobile No. on MFA pages: This option will partially hide the email address and mobile number of the user during the identity verification process.



• Include admin/manager in CC of the identity verification email sent to users: Use this setting to include the user's manager or admin's email address in the CC line of the verification code email sent to the user. To achieve this,
• Check the box next to this setting.
• Enter the admin's email address in the Email ID field.
• Click Add Manager to include the email address of the user's manager.

General

• Hide CAPTCHA: Enable this setting to hide CAPTCHA in MFA pages.
• Enable MFA Backup Verification Codes: Select this setting to enable the generation of the MFA backup codes that let end-users prove their identity when their MFA device or authenticator is unavailable.

About backup codes

These one-time use backup codes allow users to prove their identities in case their MFA device is not reachable or they are unable to use their enrolled MFA methods of authentication. Once the Enable one-time backup codes setting is enabled, the backup codes can be generated and end-users can enter them to authenticate themselves during machine or VPN logon, ADSelfService Plus portal login, or self-service actions. Backup codes can be generated in two ways:

• By the user: Users can generate backup codes in the ADSelfService Plus end-user portal. A total of five codes are generated every time the option is used. Each code cannot be used more than once.
• By the admin: Admins can also generate backup codes for users who have enrolled for MFA using the Enrolled Users Report. This comes in handy when users have not generated their own backup codes and cannot use the enrolled MFA methods. Learn more.