As an administrator, you can enforce that a user you invite can only create the account type you want. When inviting the user you have 3 options under Account type restriction:
- Any
The user will have no account type restriction. After accepting the invitation, the user can choose the account type they wish to use: a custom account or an account linked to their Microsoft AAD. If the user opts for a custom account, it is also up to them to choose whether to enable MFA. - Microsoft Azure AD
With this option, you enforce the user to use their corporate (Microsoft AAD) account to sign in. After accepting the invitation, the user will only be able to select account type Microsoft Azure AD (more info). - Custom with MFA
With this option, you enforce the user to only use an account with MFA enabled. The user will not be able to disable MFA. After accepting the invitation, the user will only be able to select Create account or Sign in (more info).
Microsoft Azure AD is recommended if this is possible for the invited user. The main advantage of this account type is that if the user leaves the organization, they immediately lose access to the Priva Digital Services as soon as their corporate AAD account is disabled or deleted, without necessarily being removed in Access Control. Note that, even though this person no longer has access to the Priva Digital Services, this person will still be listed as a user in Access Control.
If Microsoft Azure AD is not possible for the invited user, then it is recommended to enforce them to create a Custom with MFA account to enforce extra security.
Account types of existing users
The above applies to adding new users.
If you want existing users to no longer use custom accounts but use their corporate account (Microsoft Azure AD), you will need to delete these users and then add them again applying account type restriction.
If you want existing users with custom accounts to start using MFA, you can either ask these users to enable this themselves in their profile (more info) or you can delete these users and then add them again applying account type restriction.
Priva is currently working on a less time-consuming solution to change the account types of existing users. |