If you want to lock the user’s Questions and Answers profile after several failed authentication attempts, place the Lock Q&A profile activity before the Restart workflow if error occurs activity in a workflow. The Lock Q&A profile activity locks the profile when the total number of attempts to authenticate the user by using any of the following activities equals or exceeds the lockout threshold value:
By default, the Lock Q&A profile activity is included in the Forgot My Password and Unlock My Account workflows.
|IMPORTANT: If the user’s Q&A profile gets locked, all tasks on the Self-Service site will be unavailable for the user. In this case, the user must contact help desk to obtain a passcode and unlock the Q&A profile.|
This activity has the following settings:
Depending on the legislation requirements, organizations may be required to explicitly obtain users’ consent to store their personal information which is available in Questions and Answers profile.
You can use this activity to have the Self-Service site ask users to agree that Password Manager will store their personal information.
For example, you can use this activity in the My Questions and Answers Profile workflow; it is recommended to place the activity after authentication activities and before the Edit Q&A profile activity.
To configure the Display user agreement activity
This activity is performed when an error occurs during workflow execution. In this case, the activity reruns any self-service workflow from the very beginning. If a critical error occurs (user’s account or Q&A profile gets locked, or Active Directory is not available during workflow execution), then the Restart workflow if error occurs activity is skipped and the workflow stops.
It is recommended to place this activity before notifications activity in a workflow.
You do not need to configure this activity.
If client computers use BitLocker Drive Encryption, users may need BitLocker recovery keys if they are locked out of their computers.
Note, to use retrieve BitLocker recovery keys via Password Manager, BitLocker must be configured to store recovery information in AD DS. For more information, see.
To retrieve a recovery key, users should use the Issue BitLocker Recovery Key activity. You can create a new workflow and add this activity to the workflow. On the Self-Service site, when performing the corresponding task, users will be prompted to enter the recovery key ID displayed by their BitLocker-enabled computers. After entering the recovery key ID, users will receive the recovery key that they need to enter on their computers to unlock them.
If you have Microsoft BitLocker Administration and Monitoring (MBAM) installed in your environment, you need to specify the URL to the MBAM Administration Service and the account to access the MBAM Administration Service in the activity settings to enable Password Manager to use MBAM.
If you use MBAM with Password Manager, when retrieving BitLocker recovery keys, Password Manager will be able to verify that the user is associated with the computer for which the recovery key is retrieved. If the user is associated with this computer, the recovery key will be issued, otherwise, the user will not be allowed to get the recovery key.