How to Set Authentication Security Options
You can configure additional authentication security setting in the Admin Portal. The following configuration options are available from Settings > Authentication > Security Settings:
-
Use the Securely capture users’ passwords at login check box to capture user passwords using strong encryption.
After this option is enabled, Privileged Access Service captures user passwords (using symmetric encryption with AES algorithm) the next time theylog in. By default, Privileged Access Service does not capture userpasswords. However, you might want to capture user passwords to supportaccount mapping options for user password applications or to provision userpasswords for supported applications. Unless capturing user passwords isrequired for a specific feature, Delinea recommends leaving this feature disabled.
-
Use the Enable forgot username self-service at login check box to allow users to retrieve their forgotten username. Users will be prompted to enteran email address to which the username will be sent if a Privileged AccessService account is found that matches the email address. Refer to How to Customize the Admin and Login Window for more information aboutcustomizing the email message sent to users when they try to retrieve their username(s).
-
Use the Send email notification to users when password is changed option to send an automated email after users reset their Privileged Access Service password via the forgot password process.
-
Use the Additional Attributes for MFA options to configure additional attributes (such as other mobile phone, other home phone, other office phoneand other email addresses) for multi factor authentication (MFA). SeeConfiguring Additional Attributes for MFA.
-
Use the Specify trusted DNS domains for API calls option to specify trusted domain names (for example your company domain, internet serviceprovide domains like AT&T, etc.) that can make calls to Privileged AccessService APIs. If calls are made from domains not listed here, the call will fail.
Configuring Additional Attributes for MFA
When you define the attributes using the Additional Attributes for MFA options, Privileged Access Service maps these additional attributes to Admin Portal and uses their values for MFA notification.
To add attributes:
-
Log in to Admin Portal.
-
Click Settings > Authentication > Security Settings > Add button in the Additional Attributes for MFA area.
-
Select an attribute from the drop-down list.
Use the Custom attribute for other phone numbers, such as fax or IP phone. When you use the Custom attribute, the attribute name must matchone in the Attr LDAP Name column as shownhere.
-
Provide the relevant information based on the selected attribute.
-
Click Add.
The attribute is added to the associated table.
-
Click Save.
We import all Active Directory user attributes, but we only monitor and accept updates for the attributes listed in the following table.
| Attributes | Attributes | Attributes |
|---|---|---|
accountExpires
|
lockoutTime
|
otherMobile
|
c
|
mail
|
pager
|
cn
|
manager
|
primaryGroupID
|
co
|
member
|
postalCode
|
countryCode
|
memberOf
|
postOfficeBox
|
directReports
|
mobile
|
pwdlastset
|
distinguishedName
|
name
|
sAMAccountName
|
displayName
|
otherPager
|
sn
|
givenName
|
otherTelephone
|
st
|
groupType
|
otherMailbox
|
streetAddress
|
homePhone
|
otherFacsimileTelephoneNumber
|
userAccountControl
|
I
|
otherHomePhone
|
userPrincipalName
|
ipPhone
|
otherIpPhone
|
telephoneNumber
|
wWWHomePage
|
The following table lists the Active Directory user attributes used by Office 365. Some of these attributes are duplicated in the above table.
| Attributes | Attributes | Attributes |
|---|---|---|
assistant
|
msExchArchiveName
|
msExchSenderHintTranslations
|
authOrig
|
msExchAssistantName
|
msExchTeamMailboxExpiration
|
c
|
msExchAuditAdmin
|
msExchTeamMailboxSharePointUrl
|
cn
|
msExchAuditDelegate
|
msExchUsageLocation
|
co
|
msExchAuditDelegateAdmin
|
msExchUserHoldPolicies
|
company
|
msExchAuditOwner
|
msRtcSip-ApplicationOptions
|
countryCode
|
msExchBlockedSendersHash
|
msRtcSip-DeploymentLocator
|
department
|
msExchBypassAudit
|
msRtcSip-Line
|
description
|
msExchBypassModerationFromDLMembersLink
|
msRtcSip-OptionFlags
|
displayName
|
msExchBypassModerationLink
|
msRtcSip-OwnerUrn
|
dLMemRejectPerms
|
msExchDelegateListLink
|
msRtcSip-PrimaryUserAddress
|
dLMemSubmitPerms
|
msExchElcExpirySuspensionEnd
|
msRtcSip-UserEnabled
|
extensionAttribute1
|
msExchElcExpirySuspensionStart
|
objectGUID
|
extensionAttribute2
|
msExchElcMailboxFlags
|
objectSid
|
extensionAttribute3
|
msExchEnableModeration
|
otherFacsimileTelephoneNumber
|
extensionAttribute4
|
msExchExtensionCustomAttribute1
|
otherHomePhone
|
extensionAttribute5
|
msExchExtensionCustomAttribute2
|
otherIPPhone
|
extensionAttribute6
|
msExchExtensionCustomAttribute3
|
otherMobile
|
extensionAttribute7
|
msExchExtensionCustomAttribute4
|
otherPager
|
extensionAttribute8
|
msExchExtensionCustomAttribute5
|
otherTelephone
|
extensionAttribute9
|
msExchHideFromAddressLists
|
pager
|
extensionAttribute10
|
msExchImmutableId
|
physicalDeliveryOfficeName
|
extensionAttribute11
|
msExchLitigationHoldDate
|
postalCode
|
extensionAttribute12
|
msExchLitigationHoldOwner
|
postOfficeBox
|
extensionAttribute13
|
msExchMailboxAuditEnable
|
preferredLanguage
|
extensionAttribute14
|
msExchMailboxAuditLogAgeLimit
|
proxyaddresses
|
extensionAttribute15
|
msExchMailboxGuid
|
publicDelegates
|
facsimileTelephoneNumber
|
msExchModeratedByLink
|
pwdLastSet
|
givenName
|
msExchModerationFlags
|
samaaccountname
|
homePhone
|
msExchRecipientDisplayType
|
sn
|
info
|
msExchRecipientTypeDetails
|
st
|
initials
|
msExchRemoteRecipientType
|
streetAddress
|
IPPhone
|
msExchRequireAuthToSendTo
|
targetAddress
|
legacyExchangeDN
|
msExchResourceCapacity
|
telephoneAssistant
|
mail
|
msExchResourceDisplay
|
telephoneNumber
|
manager
|
msExchResourceMetadata
|
thumbnailPhoto
|
middleName
|
msExchResourceSearchProperties
|
title
|
mobile
|
msExchRetentionComment
|
userAccountControl
|
msDS-HABSeniorityIndex
|
msExchRetentionURL
|
userCertificate
|
msDS-PhoneticDisplayName
|
msExchSafeRecipientsHash
|
userSMIMECertificate
|
msExchArchiveGuid
|
msExchSafeSendersHash
|
wWWHomePage
|
