Account Access Integration - Active Directory
Moveworks' Account Access skill provides employees secure, self-service ways for users to resolve their login issues and can be integrated with Active Directory to do so.
Processes that involve sensitive actions, such as password resets, often require direct integration with an organization’s identity management systems and adherence to strict security protocols.
Therefore Moveworks does not handle nor ask for user's password directly in chat, and instead will link out to the relevant portal(s) and/or provide instructions.
Active Directory
Unlock Account
When a user is locked out of their identity and access management (IDAM system), Moveworks can notify them of the issue and offer solutions, all in chat.
Configuration options
Moveworks limits users to three self-service account unlock per day. The amount of account unlocks users can request daily can be configured.
Behind the Scenes
In order to notify locked out users, Moveworks queries for all active users in the last two weeks every 30 seconds. The service account is owned and managed by your organization, and user credentials do not leave your organizations environment. The service account credentials can optionally be stored within Azure Key Vault or AWS Secrets Manager.
The Moveworks Agent leverages LDAP(s) to connect to your Active Directory system and polls for active users using this query:
(&(objectClass=user)(objectCategory=person)(mail=*)(lockoutTime>=$SINCE)(lockoutTime<=$UNTIL)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(|(lastLogon>=$LAST_LOGIN_AFTER)(lastLogonTimestamp>=$LAST_LOGIN_AFTER})))
$SINCE
= Current time in UTC minus 30 seconds.$UNTIL
= Current time in UTCuseraccountcontrol
= Checks whether the account has been explicitly locked by an admin$LAST_LOGIN_AFTER
= Current time in UTC minus 2 weeks
Once the bot gets a list of users, it checks the Control Bits per Microsoft Documentation on User Account Control to ensure they are locked out, and whether they are still a valid enabled user.
FAQ
Q: How is user identity being verified?
A: The user’s identity is verified based on an active Microsoft Teams session on a device that they own. Any additional security policies may be applied on the Microsoft Teams side.
Q: How do you prevent accounts to not unlock for a specific group?
A: Moveworks can configure user attribute-based rules to limit who has the ability to unlock an account. Additionally, your Active Directory team can configure the service account to limit the kind of user accounts eligible for unlocking by Moveworks.
Q: Who owns this process?
A: Moveworks owns the business logic for the Unlock Account feature, and the conversation workflow. Your organization continues to own the AD Agent, which Allows Moveworks to connect to AD, and service account.
Password Expiry Reminders
When employee’s passwords are about to expire, Moveworks can send a notification letting them know when exactly their password will expire, and provide detailed self-service instructions with links to help them reset their password.
Behind the Scenes
In order to remind users of their expiring passwords, Moveworks polls your organization’s AD instance every four hours. This is done with one of two attributes: msDS UserPasswordExpiryTimeComputed
or pwdLastSet
.
For passwords that have already expired, Moveworks polls your AD instance every 30 seconds using the following query:
(&(objectClass=user)(objectCategory=person)(mail=*)(!
(useraccountcontrol:1.2.840.113556.1.4.803:=2))(|(lastLogon>={last_login_date})
(lastLogonTimestamp>={last_login_date}))(pwdlastset<={password_last_set}))
last_login_date
= Last date the user logged into their accountpassword_last_set
= Last date the user updated their password
Then Moveworks does additional client-side filtering on the msDS-UserPasswordExpiryTimeComputed
attribute.
Password Reset
When a user tells Moveworks that they’ve forgotten their password. The Moveworks bot can link the user to a browser portal where they can reset their password, and regain access to their account.
FAQ
Q: What if a user is just locked out?
A: Before Moveworks starts aiding the user in resetting their password, the bot checks to make sure that the user’s issues does not stem from too many failed log in attempts, and they are consequently being locked out of their account. This is done with a Distinguished Name (DN) lookup followed by an inspection of the lockoutTime
attribute. Once the bot confirms that the user has not tried to log in with their current password, it will send the link to the portal where they can reset their password.
Updated 3 months ago