As an administrator, you can force users to use their corporate Microsoft AAD account to sign in or to use multifactor authentication (MFA) for their custom account. You can enforce these account types when inviting new users, but it is also possible to change the account types for existing users.
Restrict account type - new users
When inviting the user, you have 3 options under Account type restriction:
- Any
The user will have no account type restriction. After accepting the invitation, the user can choose the account type they wish to use: a custom account or an account linked to their Microsoft AAD. If the user opts for a custom account, it is also up to them to choose whether to enable MFA. - Microsoft Azure AD
With this option, you force the user to use their corporate (Microsoft AAD) account to sign in. After accepting the invitation, the user will only be able to select the account type Microsoft Azure AD (more info). - Custom with MFA
With this option, you force the user to only use an account with MFA enabled. The user will not be able to disable MFA. After accepting the invitation, the user will only be able to select Create account or Sign in (more info).
Microsoft Azure AD is recommended if this is possible for the invited user. The main advantage of this account type is that if the user leaves the organization, they immediately lose access to the Priva Digital Services as soon as their corporate AAD account is disabled or deleted, without necessarily being removed in Access Control. Note that, even though this person no longer has access to the Priva Digital Services, this person will still be listed as a user in Access Control.
If Microsoft Azure AD is not possible for the invited user, then it is recommended to force them to create a Custom with MFA account to enforce extra security.
Restrict account type - existing users
It is also possible to change the account type for existing users: go to the page of a user > click on the three dots > Change account type / Enforce MFA. There are 3 options:
- Change account type (to AAD)
Custom account (with or without MFA) > Microsoft Azure AD - Change account type (to MFA)
Custom account without MFA > Custom account with MFA enforced - Enforce MFA
Custom account with MFA enabled by user > Custom account with MFA enforced
When you change the account type (to AAD/MFA), the user will receive an email invitation to configure the new account (more info). The current account will be disabled within 14 days or immediately, depending on the administrator’s choice.
When you enforce MFA for a user who has already enabled MFA themselves, that user will no longer be able to disable MFA in their profile. The user will not need to configure a new account, as with the ‘change account type’ option, only a notification email will be sent to inform the user of the change.