Enable secondary authentication on SPP group

Hello,

I'm using One Identity Defender to enable the 2FA in Safeguard for Privileged Password.

I enabled the secondary authentication option in the Active Directory group's authentication tab on SPP but the users are still able to login without the OTP.

If I enable the secondary authentication on the single user it works fine.

Is there a workaround to enable that for many users all at once?

Top Replies

Tawfiq.Ahmad over 1 year ago +1 verified

HI Daniele,

If you enable it for a new AD Group where the users have not been imported already in SPP, does that work?

It seems if the AD group is modified after the users have already been imported might…
tim westcott over 1 year ago in reply to Tawfiq.Ahmad +1 verified

Simplest fix if you have existing users in your AD group. is make the change to group to use 2FA, delete all the users in the group and then let them re-import/synchronise. HAs worked for me in the past…

Parents

+1 Tawfiq.Ahmad over 1 year ago

HI Daniele,

If you enable it for a new AD Group where the users have not been imported already in SPP, does that work?

It seems if the AD group is modified after the users have already been imported might not update existing users.

You could utilize the Core API to enable it for each user in bulk possibly, otherwise, if deleting the users is an option (this will remove any associated entitlements too so be careful) and adding them back via the AD group but having set the setting on the AD Group before adding these users back is another option?

Thanks!
Cancel
Up +1 Down

Reply

Reject Answer

Cancel

Reply

+1 Tawfiq.Ahmad over 1 year ago

HI Daniele,

If you enable it for a new AD Group where the users have not been imported already in SPP, does that work?

It seems if the AD group is modified after the users have already been imported might not update existing users.

You could utilize the Core API to enable it for each user in bulk possibly, otherwise, if deleting the users is an option (this will remove any associated entitlements too so be careful) and adding them back via the AD group but having set the setting on the AD Group before adding these users back is another option?

Thanks!
Cancel
Up +1 Down

Reply

Reject Answer

Cancel

Children

+1 tim westcott over 1 year ago in reply to Tawfiq.Ahmad

Simplest fix if you have existing users in your AD group. is make the change to group to use 2FA, delete all the users in the group and then let them re-import/synchronise. HAs worked for me in the past. Cannot speak or latest releases but I would assume it would be the same.

Core API works as well but for me takes a lot more time to implement.

Good luck Tim
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel

Endpoint Privilege Management

Enable secondary authentication on SPP group

Top Replies