Administrator Enrollment

Specops Authentication for MFA for Windows allows administrators to enroll users to the system, without requiring users to go through the enrollment process. This can be achieved with any identity service that has identifier information stored in Active Directory.

  • Before using this guide, you need:
  • Basic knowledge of PowerShell
  • PowerShell 4.0 or later
  • Specops Authentication for MFA for Windows configured with an active Gatekeeper
  • Specops Authentication for MFA for Windows admin group membership
  • The Specops Authentication for MFA for Windows PowerShell module – installed with the administration tools C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Specops.Authentication.Gatekeeper.Admin

Identity services for enrollment

Administrators can enroll with the following identity services:

  • Personal Email
  • Mobile Code
  • Secret Questions
  • Yubikey
  • Mobile Bank ID
  • Google

Cmdlets

The cmdlets can be used by administrators when managing users, or enrolling them in batches in Specops Authentication for MFA for Windows.

To import the module, run the following command in PowerShell on your Gatekeeper server:

Copy 
import-module specops.authentication.gatekeeper

Add-SpecopsAuthenticationIdentityServiceEnrollment

Takes the parameters Username, IdentityServiceId, and EnrollmentProof. Can be used to enroll with all identity services except: Secret Questions, Duo Security, Specops Fingerprint, Authenticators, Manager Identification, Symantec VIP, LinkedIn, and Windows Identity.
Use the Get-SpecopsAuthenticationIdentityServices cmdlet to find the IdentityServiceId of your Identity Service.

Usage example:

Copy 

            Add-SpecopsAuthenticationIdentityServiceEnrollment -Username mySamAccountName -IdentityServiceId <span class="mc-variable ID_Services.google variable">Google</span> -EnrollmentProof MyGoogleAccount
Mobile Code (SMS) admin enrollment

Mobile Code (SMS) admin enrollment requires updating the mobile attribute on the user object and the enrollment data in the leaf object. An administrator can update the mobile attribute on a user account from the Active Directory management tool, or with PowerShell. If you use the default mobile phone attribute, use the following command:

Copy 
Set-ADUser -Identity user0020 -MobilePhone '+1-202-555-0191'

If you store the mobile number in a custom attribute, you need to supply that attribute instead. If, for example, the mobile number is in the otherMobile attribute, you can use the following command:

Copy 
Set-ADUser -Identity user0020 -Replace @{otherMobile='+1-202-555-0191'}

For Gatekeeper Admin Tool 8.23 and later: after updating the mobile attribute you can use PowerShell to add the proof in the leaf object.

Copy 
Add-SAMobileCodeEnrollment -Username jane.doe -MobileNumber +123 -GatekeeperServer dc02.subaru.local

For Gatekeeper Admin Tool 8.22 and earlier: after updating the mobile attribute you can use PowerShell to add the proof in the leaf object.

Copy 
Add-SpecopsAuthenticationIdentityServiceEnrollment -username user0020 -IdentityServiceId MobileCode -EnrollmentProof +12025550191
admin enrollment

Usage example:

Copy 
Add-SpecopsAuthenticationIdentityServiceEnrollment -username user0020 -IdentityServiceId AlternateEmail -EnrollmentProof user@domain.com

                            
Add-SpecopsAuthenticationQuestionsEnrollment

                            

			Takes the parameters Username, Answers and Language. Language is an
			optional 2-digit language code. Answers takes an array of questions and
			answers.


                            
Usage example:

                            
Copy
                                
$questionsAndAnswers = @{"Question"="Who are you?"; "Answer"="No one"},@{"Question"="Why are you here?"; "Answer"="I am not"}
            Add-SpecopsAuthenticationQuestionsEnrollment –Username mySamAccountName –Answers $questionsAndAnswers

                                

                            

                            
Get-SpecopsAuthenticationEnrollment

                            
Lists the identity services that a user is enrolled with.

                            
Usage example:

                            
Copy
                                
Get-SpecopsAuthenticationEnrollment -Username mySamAccountName

                                

                            

                            
Get-SpecopsAuthenticationIdentityServices

                            

			Lists all identity services available in your
	Specops Authentication
			subscription.


                            
Usage example:

                            
Copy
                                
Get-SpecopsAuthenticationIdentityServices

                                

                            

                            
Remove-SpecopsAuthenticationEnrollment

                            

			Removes all enrolled identity services from a user, except automatically
			enrolled ones, like Windows Identity, Duo Security, Manager Identification
			or Symantec VIP.


                            
Usage example:

                            
Copy
                                
Remove-SpecopsAuthenticationEnrollment -Username mySamAccountName

                                

                            

                            
Remove-SpecopsAuthenticationIdentityServiceEnrollment

                            
Removes an identity service enrollment from a user.

                            
Usage example:

                            
Copy
                                
Remove-SpecopsAuthenticationIdentityServiceEnrollment -Username mySamAccountName -IdentityServiceId Fingerprint