How To Guide for Access Account Plugin
How To Configure Change Password Notifications
Pre-Requisites
- Ensure the required Identity system connector has been setup so Moveworks is able to poll the Account info for users from the external IDAM System. Learn more about how to setup these connectors here.
- Ensure we are ingesting the Password Metadata information from the External Identity system, this is imperative for us to calculate the time when the reminder notification must be sent out.
- Please ensure the required Change Password Plugin is set to TRUE within the Copilot Plugin Management settings.
Configuration
Navigate to the Copilot Plugin Management settings.
- Within this setting, find the Change Password Plugin section.
- Update the Deflection Message field to encapsulate the desired deflection message you want to serve to users when this plugin in called.
- Optionally, you can check the Enable Deflection Message Paraphrasing box to allow the AI Assistant to summarize your Deflection Message. If not checked, the AI Assistant will serve back your verbiage directly.
- Click Submit at the bottom of the page
Once the required plugin has been enabled we need to ensure the password metadata info has been ingested from the external identity system. Here is a guide on How To Ingest Password Metadata for users.
Once the password metadata has been ingested for the user profiles. We can navigate to Account Access > Plugins Settings where we can configure the plugin to notify the user.
- Enable password expiry notifications - This is main control which needs to be selected in order for the Notifications to work, we cam further control who the plugin works for using the Proactive Reachout Filter.
- Proactive Reachout Filter - Enter a DSL rule within this control DSL box. To activate this skill for all users, set the DSL value to TRUE. To only have this skill be available to certain users, leverage the Moveworks DSL Syntax in the Guide here .

- Portal URL - Users can be provided a link to the portal when this plugin is invoked so they can be redirected and carry out the steps to chane, but in order to do so you need to select the below configuration control.
- Redirect user to portal for these requests - If a URL has been defined for redirection, we need to ensure this control is selected for the URL to be presented to the user.

Validation
The AI Assistant will now serve your specified deflection message. You can trigger this plugin within your AI Assistant and you will be able to validate that the correct deflection message is served.
How To Configure Deflection Message for Reset Password
Pre-Requisites
- Please ensure the required Reset Password Plugin is set to TRUE within the Copilot Plugin Management settings
Configuration
Navigate to the Copilot Plugin Management settings.
- Within this setting, find the Reset Password Plugin section.
- Update the Deflection Message field to encapsulate the desired deflection message you want to serve to users when this plugin in called.
- Optionally, you can check the Enable Deflection Message Paraphrasing box to allow the AI Assistant to summarize your Deflection Message. If not checked, the AI Assistant will serve back your verbiage directly.
- Click Submit at the bottom of the page
Validation
The AI Assistant will now serve your specified deflection message. You can trigger this plugin within your AI Assistant and you will be able to validate that the correct deflection message is served.
How To Configure Unlock Account Notifications
Pre-Requisites
- Ensure the required Identity system connector has been setup so Moveworks is able to poll the Account info for users from the external IDAM System. Learn more about how to setup these connectors here.
- Please ensure the required Unlock Account Plugin is set to TRUE within the Copilot Plugin Management settings for this to work in the AI Assistant.
Configuration
Before we start the configuration, Please navigate to the Copilot Plugin Management settings.
- Within this setting, find the Unlock Account Plugin section and set this to TRUE or FALSE depending on if the plugin should be enabled or not.

- Update the Deflection Message field to encapsulate the desired deflection message you want to serve to users when this plugin is called.
- You would need to check the Enable Deflection Message Paraphrasing box if a Deflection message is being defined in the configuration in order to present it in the AI Assistant. If not checked, the AI Assistant will serve back your verbiage directly.

- Click Submit at the bottom of the page
Once the required plugin has been enabled we need to setup the connector which the plugin will use to poll the data for locked accounts. This can be done by navigating to Account Access > Advanced Settings > Bidding.
-
Start by setting up the Entity to System Mapping for Account Unlock configuration. Multiple Connector mappings can be setup if your organisation uses multiple Identity systems.
-
Connector - The system connector which will be polled for the locked accounts information.
-
Controlled Entities - Moveworks accepts a list of entity names in each connector configuration card as this helps Moveworks understand what system an entity belongs to.
Ex. If Okta controls the active_directory entity, we know that if the user says reset my AD password we should kick off the access account flow using the okta integration.
Note : Leaving this blank will cause us to use the standard set of entities for the type of system selected. If the same controlled entity is controlled by two systems then it will be assigned to the first system that references it. -
Controlled Entity Sets - Users can also select a predefined Entity set instead of defining them individually. Please select the appropriate entity here.
-
Finally we can define the Plugin Configuration which can be found in Account Access > Plugin Settings. Here are the main configuration controls which need to be defined in order for the plugin to work as expected.
-
Enable account unlock - This is a boolean control which enables or disables the Unlock Account skill in the AI Assistant. You can only set the value TRUE or FALSE in this field.
Note : You cannot write other DSL rules to control rollout of this skill, that can be done in Proactive Reachout Filter. -
Portal URL - Users can be provided a link to the portal when this plugin is invoked so they can be redirected and carry out the steps to unlock the account, but in order to do so you need to select the below configuration control.
- Redirect user to portal for these requests - If a URL has been defined for redirection, we need to ensure this control is selected for the URL to be presented to the user.
-
Proactive Reach out Filter - This is the DSL Control which can be used to define which users this plugin can be enabled for. This is especially used when customers are doing a controlled rollout of the Plugin.
- Setting this Filter value to TRUE ensures Unlock Account Notifications are sent out to all users.
- Setting this Filter value to FALSE means Unlock Account Notifications will not be sent out to any users.
- Setting the below DSL rule allows Moveworks to control which users will get the Account Unlock Notifications, this is very commonly used by customer when dong a controlled rollout to a subset of users for testing.
user.email_addr IN ["[email protected]","[email protected]"]
-
Enable polling of account lockouts - This control polls the identity system to identify accounts that were locked out and then send out the notifications. You can only set the value TRUE or FALSE in this field.
Validation
The AI Assistant will now serve your specified deflection message. You can trigger this plugin within your AI Assistant and you will be able to validate that the correct deflection message is served.

How To Configure Deflection Message for Reset MFA
Pre-Requisites
- Please ensure the required Reset MFA Plugin is set to TRUE within the Copilot Plugin Management settings
Configuration
Navigate to the Copilot Plugin Management settings.
- Within this setting, find the Reset MFA Plugin section.
- Update the Deflection Message field to encapsulate the desired deflection message you want to serve to users when this plugin in called.
- Optionally, you can check the Enable Deflection Message Paraphrasing box to allow the AI Assistant to summarize your Deflection Message. If not checked, the AI Assistant will serve back your verbiage directly.
- Click Submit at the bottom of the page
Validation
The AI Assistant will now serve your specified deflection message. You can trigger this plugin within your AI Assistant and you will be able to validate that the correct deflection message is served.
How To Configure Unlock Account for Active Directory
Pre-Requisites
- Please ensure the required Active Directory Connector has been created with the necessary permissions. Please refer the Active Directory / LDAP Access Requirements Doc for details.
- Please ensure the required Unlock Account Plugin is set to TRUE within the Copilot Plugin Management settings. There should be no Deflection Message listed.
Configuration
Start by navigating to Account Access > Plugin Settings
- Click on the Unlock Account toggle to expand the settings for natively unlocking accounts via the AI Assistant.
- Set the Enable account unlock DSL box to TRUE.
- NOTE: This value can only be set to TRUE or FALSE.
- Enter a DSL rule within the Proactive Reachout filter DSL box. To activate this skill for all users, set the DSL value to TRUE. To only have this skill be available to certain users, leverage the Moveworks DSL Syntax in the Guide here .
- Set the Enable polling of account lockouts DSL box to TRUE. This value can only be set to TRUE or FALSE.
- Click Submit at the bottom of the page
Next, navigate to Account Access > Advanced Settings > Bidding
- Click on the Setup entity to system mapping for account unlock toggle to expand the settings.
- Under the Account Bidding Config settings, click on Add + to add in a new bidding system to use for unlocking accounts.
- Select your Active Directory connector within the Select connector dropdown.
- Select ms_auth under Controlled Entity Sets to pre-populate the set of grouped entities for Active Directory that the AI Assistant will use when determining when to use this system to perform the unlock account workflow.
- Click Submit at the bottom of the page
Validation
Users are now able to receive proactive account lockout notifications as well as initiate an account lockout request directly. To validate these settings, you can send a request to the AI Assistant to unlock your account which will trigger this plugin. The returning message from the AI Assistant will tell you that your account has been unlocked or that it is already unlocked which will verify the live connectivity to Active Directory.
How To Configure MFA Reset for DUO
Pre-Requisites
- Please ensure the required DUO Connector has been created with the necessary permissions. Please refer the DUO Access Requirements Doc for details.
- Please ensure the required Reset MFA Plugin is set to TRUE within the Copilot Plugin Management settings. There should be no Deflection Message listed.
Configuration
Start by navigating to Account Access > Plugin Settings
- Click on the Reset MFA toggle to expand the settings for native MFA resetting via the AI Assistant.
- Set the Reset Mode to the desired attribute if there are multiple factors available to a user. The options can be one of the following:
- User can only reset one factor at a time
- User can choose to reset all factors or a single factor
- User can choose to reset all factors from a single provider or across all providers
- Enter a DSL rule within the Enable MFA reset DSL box. To activate this skill for all users, set the DSL value to TRUE. To only have this skill be available to certain users, leverage the Moveworks DSL Syntax in the Guide here .
- Click Submit at the bottom of the page
Next, navigate to Account Access > Advanced Settings > Bidding
- Click on the Setup entity to system mapping for MFA reset toggle to expand the settings.
- Under the MFA Bidding Config settings, click on Add + to add in a new bidding system to use for MFA resets.
- Select your DUO connector within the Select connector dropdown.
- Select duo under Controlled Entity Sets to pre-populate the set of grouped entities for DUO that the AI Assistant will use when determining when to use this system to perform the reset MFA workflow.
- Click Submit at the bottom of the page
Validation
Users are now able to reset their MFA directly within the AI Assistant. To validate these settings, you can send a request to the AI Assistant to reset your MFA which will trigger this plugin. The returning message from the AI Assistant will ask you to validate the workflow and then take action within DUO. You should receive a text to your phone to reset your DUO when successful.
Updated 4 days ago