ManageEngine ADSelfService Plus License
ADSelfService Plus is an integrated Active Directory Self-Service Password Management and Single Sign-on Solution. This licensed solution reduces password-related help desk calls, increases employee productivity, and improves security.
Self-service password reset software
When the number of password reset tickets increases, IT teams often push more critical issues down the queue so users don’t have to put their work on hold for too long while their passwords are reset. When these tickets are left unchecked, password reset tickets can become hard to answer, since close to 30% of all help desk tickets are caused by forgotten passwords. Unsurprisingly, several large businesses have spent over $1 million trying to resolve password-related help desk calls.
The licensed ManageEngine ADSelfService Plus is an identity security solution with multi-factor authentication (MFA), single sign-on, and self-service password management capabilities that can eliminate password reset tickets. Simply put, whether it’s a forgotten Microsoft 365 or Active Directory (AD) password, ADSelfService Plus allows users to reset their passwords on their own without IT assistance.
How Self-Service Password Reset Works
- A user who has forgotten their password initiates a password reset request from the ADSelfService Plus web portal login screen, their computer login screen, or the ADSelfService Plus mobile app.
- ADSelfService Plus verifies the enrollment status and policy settings that apply to the user and presents the user with the relevant MFA authenticators from a list of 19 different supported MFA authenticators.
- After successful identity verification, the user will be presented with the password reset screen where they can reset their password using the displayed password policies.
- Once the password is reset, ADSelfService Plus will update AD with the new password.
- The user will then be informed about the status of the password reset process via email, SMS or push notification. The user can then log into their account using the newly reset password.
Strict MFA techniques to protect password recovery
ADSelfService Plus allows administrators to activate a preconfigured authentication workflow as soon as users initiate a self-service password reset request. This licensed solution offers 19 different authentication techniques, including biometrics and YubiKey to authenticate users during self-service password reset and account unlock. Some users have access to sensitive company data, and if their accounts are hacked by a malicious hacker, it can be disastrous. To counter this, ADSelfService Plus allows administrators to enforce different types of authentication for different types of users.
Advanced conditional access criteria to improve security
ADSelfService Plus Conditional Access Policy allows administrators to set context-based rules to increase or decrease the authentication flow set for self-service password reset. Authentication factors are modified based on the user’s IP address, time of request, device used, and geolocation. For example, if a self-service password reset request is received from an untrusted IP address, the user may be required to pass three identity verification factors, with the mandatory factor being a biometric factor.
Automate access decisions with conditional access
The remote work model has proven beneficial to organizations and employees and is here to stay. As remote users are more susceptible to cyberattacks, strict security measures such as Multi-Factor Authentication (MFA) should be applied to prevent data breaches. However, enforcing a strict organization-wide access policy such as MFA can have negative effects on the user experience. While two- or three-factor authentication can secure remote logins, it can be an unnecessary hassle for on-premises users who are already secure at the office perimeter. A more efficient approach is to apply context-based access policies. The licensed ManageEngine ADSelfService Plus conditional access helps organizations with:
- Implement access control without the involvement of an IT administrator.
- Improve the security state of an organization without affecting the user experience.
What is conditional access?
Conditional access implements a set of rules that analyze various risk factors, such as the user’s IP address, login time, device, and geolocation, to enforce automated access control decisions. Decisions are implemented in real time based on user risk factors to avoid unnecessarily stringent security measures imposed in risk-free scenarios. This ensures an improved user experience without compromising security.
Some of the common scenarios and corresponding security measures that can be applied with Conditional Access include:
- Require multi-level verification for privileged users.
- Require MFA for offsite access to critical business applications for all employees.
- Block access to high-risk actions such as password reset requests from untrusted IP addresses or unknown devices.
How does a conditional access policy work?
Before learning how conditional access works, let’s take a look at the basics of creating a conditional access rule:
This includes the list of factors that can create or compromise the security of the organization. ADSelfService Plus allows you to configure conditions based on the following risk factors:
- IP address (trusted and untrusted)
- Device (device type and platform)
- Working hours (working hours and non-working hours)
- Geolocation (based on the origin of the request)
After configuring the conditions, the criteria can be processed using operators such as AND, OR or NOT. This policy is linked to the access policy.
The policies are then associated with a preconfigured access policy, called a self-service policy in ADSelfService Plus. IT administrators can create self-service policies and enable specific features for users belonging to particular domains, organizational units (OUs) and groups.