Account Access Integration - Active Directory
Account Access Integration - Active Directory
Account Access Integration - Active Directory
Moveworks’ Account Access skill provides employees secure, self-service ways for users to resolve their login issues and can be integrated with Active Directory to do so.
Processes that involve sensitive actions, such as password resets, often require direct integration with an organization’s identity management systems and adherence to strict security protocols.
Therefore Moveworks does NOT handle nor ask for user’s password directly in chat, and instead the AI Assistant will link out to the relevant portal(s) and/or provide instructions.
When a user is locked out of their identity and access management (IDAM system), Moveworks can notify them of the issue and offer solutions, all in chat.
Moveworks limits users to three self-service account unlock per day. The amount of account unlocks users can request daily can be configured.
In order to notify locked out users, Moveworks queries for all active users in the last two weeks every 30 seconds. The service account is owned and managed by your organization, and user credentials do not leave your organizations environment. The service account credentials can optionally be stored within Azure Key Vault or AWS Secrets Manager.
The Moveworks Agent leverages LDAP(s) to connect to your Active Directory system and polls for active users using this query:
$SINCE = Current time in UTC minus 30 seconds.$UNTIL = Current time in UTCuseraccountcontrol = Checks whether the account has been explicitly locked by an admin$LAST_LOGIN_AFTER = Current time in UTC minus 2 weeksOnce the bot gets a list of users, it checks the Control Bits per Microsoft Documentation on User Account Control to ensure they are locked out, and whether they are still a valid enabled user.
A: The user’s identity is verified based on an active Microsoft Teams session on a device that they own. Any additional security policies may be applied on the Microsoft Teams side.
A: Moveworks can configure user attribute-based rules to limit who has the ability to unlock an account. Additionally, your Active Directory team can configure the service account to limit the kind of user accounts eligible for unlocking by Moveworks.
A: Moveworks owns the business logic for the Unlock Account feature, and the conversation workflow. Your organization continues to own the AD Agent, which Allows Moveworks to connect to AD, and service account.
When employee’s passwords are about to expire, Moveworks can send a notification letting them know when exactly their password will expire, and provide detailed self-service instructions with links to help them reset their password.
In order to remind users of their expiring passwords, Moveworks polls your organization’s AD instance every four hours. This is done with one of two attributes: msDS UserPasswordExpiryTimeComputed or pwdLastSet.
For passwords that have already expired, Moveworks polls your AD instance every 30 seconds using the following query:
last_login_date = Last date the user logged into their accountpassword_last_set = Last date the user updated their passwordThen Moveworks does additional client-side filtering on the msDS-UserPasswordExpiryTimeComputed attribute.
When a user tells Moveworks that they’ve forgotten their password. The Moveworks bot can link the user to a browser portal where they can reset their password, and regain access to their account.
A: Before Moveworks starts aiding the user in resetting their password, the bot checks to make sure that the user’s issues does not stem from too many failed log in attempts, and they are consequently being locked out of their account. This is done with a Distinguished Name (DN) lookup followed by an inspection of the lockoutTime attribute. Once the bot confirms that the user has not tried to log in with their current password, it will send the link to the portal where they can reset their password.