ARS 2FA Users group
After the Starling Join operation is completed successfully, the ARS 2FA Users group is generated and displayed in the Builtin Container by default. All members of the 2FA group have the Starling Two-Factor Authentication User Access template applied by default.
Pre-requisites to use One Identity Starling 2FA
Active Roles users who can use the Starling Two-factor Authentication feature must satisfy the following conditions:
- The Active Roles users must be members of the ARS 2FA Users group.
- The Active Roles users must have Starling Two-Factor Authentication User Access template permissions applied.
- The Active Roles users must have their mobile number and Email address properties populated.
For information on the mobile number formats that are allowed, see the One Identity Starling User Guide on https://support.oneidentity.com/technical-documents.
Allowing two-factor authentication for Active Roles users
To allow Active Roles users to use two-factor authentication, add the users to the ARS 2FA Users group. Adding the users to the ARS 2FA Users group enables the minimal permissions on the users through the Starling - Two Factor Authentication User Access template to authorize the users for two-factor authentication.
In case of multiple managed domains, the ARS 2FA Users group must be created manually in each of the domains and the Starling - Two Factor Authentication User Access template must be applied on the group.
Steps to create ARS 2FA Users group manually
- Create the ARS 2FA Users group in the Builtin container.
- Apply the Starling - Two Factor Authentication User Access template to the Domain.
- Run the following command in the Active Roles Management Shell:
new-QARSAccessTemplateLink -AccessTemplate 'CN=All Objects - Read All Properties,CN=Active Directory,CN=Access Templates,CN=Configuration' -DirectoryObject 'CN=Starling Configuration,CN=Configuration' -Trustee 'Domain\ARS 2FA Users' -Proxy
- Add AD users to the group.