Find answers and help with IDEE's products and services.
AuthN is an IDP. This means that for every integration the logs are provided by the service provider (e.g. Microsoft, Google, Salesforce, etc.). Please refer to the documentation of the service provider to obtain the logs.
Yes. AuthN by IDEE is passwordless. Nevertheless, to ensure compatability with SAML integrations we enable PasswordProtectedTransport.
Move the user to a new domain (e.g. onmicrosoft.com) change the Immutable ID and then move the user back to the original domain.
Once the user is deleted on your IAM system or from the user directory, the user can no longer log in. To delete the account automatically please leverage SCIM.
SCIM ensures that when a user is de-provisioned in the IAM system or user directory, that user is also de-provisioned in AuthN. Once the user is de-provisioned, the user can no longer use AuthN to login.
For new PCs (Out-of-the-box experience) and/or inTune setup, please generate an Access Key from the Integration Portal and provide it to the user so the user can setup their PC.
An invited admin is allowed to do the following:
- Edit an integration (modify integration parameters)
- Delete an integration
- View an integration (see integration parameters)
- Invite users
- Delete users from Microsoft or Google integrations
Only the owner of an integration can add/invite another admin.
No, you can invite admins with any email address.
Currently , only an existing admin can receive an invitation.
Please make sure that the admin you want to invite is already registered on our Integration Portal.
Yes, you can get a branded setup for your integrations, inlcuding app, login pages, emails, and self-service portal.
It may take up to 5 minutes for changes to apply. If the integration after 5 minutes is still not taking effect please make sure your integration details are correct.
A backup allows the admin to add a new device to their account using the backup code. Thereafter, the admin has full access to their account.
Without a backup code a new device can only be added by proving possession of the mailbox and then resetting your account. Resetting your account means all existing devices are deleted and admin access on the account is revoked. To regain admin access on the account, please submit a support ticket here: https://www.getidee.com/support
Go to https://authn.getidee.de and scan the QR-Code with the App. You can either use AuthN by IDEE app or your branded AuthN App from IDEE.
You can use the AuthN app or your branded app.
Yes. In order to use the Integration Portal with your authenticator, you need to use the same email address you used when registering for the Integration Portal with your authenticator. Your email address is your account identifier.
If you recently reset your account, access to your Integration Portal was removed. Please create a ticket here to regain access: https://www.getidee.com/support.
The system administrator that is responsible for a specific integration(s) should create an account on the Integration Portal. In order to share an integration with another adminstrator, each adminstrator needs to create an account on the Integration Portal prior to sharing.
Once the integration is setup, the user is automatically re-directed to the AuthN login page or the branded login page. On the login page the user is then asked to follow the setps to enable Secure Magic-Link, Web-AuthN or the AuthN app depending on the configuration. Thereafter, the user can instantly login to the application.
Once the user is deleted on your IAM system, the user can no longer access any of your systems. Our clients can automatically delete that account on IDEE by leveraging SCIM.
The root account of your domain cannot be federated. For example, the Microsoft Azure AD root account, onmicrosoft.com, is always accessible by using your username, password, and token.
The invitation link can only be used once by the user who has received the link. The link is tied to the email address that was used when it was created. The user cannot change it.
Please use the following command: Set-MsolDomainAuthentication -DomainName $domain -Authentication managed
Once an Azure AD is federated, users need to be added using Microsoft Graph Explorer. Here are the steps for the Microsoft Graph Explorer:
1. Sign into the Microsoft Graph Explorer here (https://developer.microsoft.com/en-us/graph/graph-explorer) using your Azure admin account.
2. After you have signed in click on the 3 dots next to your profile and 'SELECT PERMISSIONS.
3. Please add the following permissions: User.ReadWrite.All and Directory.ReadWrite.All.
4. Go to Sample Queries. Find and select 'CREATE USER' which will create an example in JSON.
5. Please copy the following code and update it to the user's particulars to create the user:
{
"accountEnabled": true,
"displayName": "FirstName LastName",
"mailNickname": "username",
"onPremisesImmutableId": "username@example.com",
"userPrincipalName": "username@example.com",
"mail": "username@example.com",
"givenName": "FirstName",
"surname": "LastName",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "<password>"
}
}
Please create a ticket using the "Contact us" button below.
Please create a ticket using the "Contact us" button below choosing the incident section for reports by typing in "incident report".
The AuthN app works on any smartphone or tablet with the following OS versions:
- Android version 6.0 or higher
- Apple iPhone with IOS 11 or higher
Web-AuthN works on any computer with a TPM chip (internal or external) and the following browsers:
- Microsoft Edge
- Chrome
- Safari
- Internet Explorer 7 or higher
Currently, we support one account per authenticator app. If you choose the branded option, you can use our AuthN app and your branded app. This way you can use two different accounts.
A work around for Android:Certain phones with Android 10 and later support Dual-apps. With this feature you can use AuthN in dual-app mode to access two separate mailboxes.
A general work around:M365 offers delegated access. You can find the M365 documentation here: https://support.microsoft.com/en-gb/office/access-another-person-s-mailbox-a909ad30-e413-40b5-a487-0ea70b763081#__toc372210362"
With Web-AuthN, multiple accounts can be setup on a single device.
To enable app passwords on Azure, please enable and enforce Azure MFA. Here is additonal information about app passwords: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords
Once a Microsoft domain is federated, it needs a few minutes to replicate the changes and start redirecting to AuthN login page. Please be patient. Go have a coffee!!
If your account has active integrations on the Integration Portal you are not allowed to delete your account. You first need to go to the Integration Portal and delete all active integrations or create a ticket to transfer all integrations to another admin. You also need to revoke access to integrations you have shared with other admins. Thereafter, you can delete your account via the Self-service Portal (SSP).
Please ask an admin who is managing your email integration with AuthN to send you a one-time use magic-link for account recovery. This will allow you to enable your AuthN app as an authenticator. Thereafter you can access your mailbox by using AuthN.
If you do not have your backup code you need to reset your account. To obtain access to your integrations on the Integration Portal, please create a ticket here: https://www.getidee.com/support.
Please ask an admin who is managing your email integration with AuthN to send you a one-time use magic-link for account recovery. Thereafter, you can reset your account and enable AuthN. Once AuthN is enabled you can authenticate to your mailbox. To obtain access to your integrations on the Integration Portal, please create a ticket here: https://www.getidee.com/support.
All authenticator devices are deleted and access to the Integration Portal is removed. You need to contact IDEE to regain access to the Integration Portal. To obtain access to your integrations on the Integration Portal, please create a ticket here: https://www.getidee.com/support.
App passwords created for service accounts prior to switching the domain from managed to federated will continue to work. If new app passwords need to be created, the admin needs to login to the service account and create new app passwords. When the admin tries to login to a service account, they will need to authenticate with AuthN.
Please ask an admin to send you a one-time use magic-link to login to your service account using Web-AuthN.
Yes. However, once you delete/disable an enterprise account, the user will no longer have access to your data.
When a domain is federated it is not possible to create users on that domain through Azure Portal.
However, it is possible to create new users using Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer
Sign into Graph Explorer using an Azure admin account, and add required permissions. For managing users User.ReadWrite.All and Directory.ReadWrite.All permissions are required. Please follow these steps:
1. Find and select "create user" sample query.
2. Copy and edit request body from below:
{
"accountEnabled": true,
"displayName": "FirstName LastName",
"mailNickname": "username",
"onPremisesImmutableId": "username@example.com",
"userPrincipalName": "username@example.com",
"mail": "username@example.com",
"givenName": "FirstName",
"surname": "LastName",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "<password>"
}
}
3. Click on "Run query"
You have two Options:
Option 1: To only enable AuthN for a subset of users on a managed Azure AD domain, the admin needs to change the UPN of these users to a federated domain integrated with AuthN. Once complete, the users will login to all Microsoft services using the new UPN and will be required to login using AuthN.
To change the UPN the admin can go to the user profile in Azure AD and change it or use the following command: Set-AzureADUser -ObjectId <old UPN with managed domain> -UserPrincipalName <new UPN with federated domain>
Option 2: is setting up a subdomain and federating only the subdomain. Follow this guide to setup a subdomain: link
There are two options. 1) Run powershell and use your admin UPN. If the UPN is part of the federated domain integrated with AuthN, you will be asked to authenticate. Use Push or QR-Code options to authenticate. 2) Log in using the "Other User" option. You will be asked for a username and password becuase that is all Windows supports. You can use an admin UPN on the same tenant that ends with onmicrosoft.com suffix or any other UPN, which is part of a managed domain and has admin rights for the federated domain. The UPN must also be listed as a Device Adminstrator on Azure AD. Here is more info on the device adminstrator role: https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#manage-the-device-administrator-role.
You can create the integration on the Integration Portal before federating the domain. Then, a Domain Invite Link will be created. You can send that link to all your users which will enable them to setup a device for that integration before the domain is federated.
No, when an enterprise account is deleted that account needs to be deleted manually on IDEE services (Integration Portal, AuthN User). However, when an account is deleted on your IAM platform, the user no longer can access your data.
To automatically delete the account on IDEE side you need to enable SCIM.
User should ask an admin to send them a one-time use magic-link for account recovery. This link will allow them to setup a new authenticator device and thereafter you can access your mailbox.
Please ensure that the user has an internet connection. Also ensure that the VPN, firewall, proxy setups are not interfering with access to the IDEE service. Finally, if all else is working please ask the user to disable and enable the lock screen again.
Please check if the user has entered the correct email. Thereafter, please ensure IDEE is added to your whitelist, so that emails are not stuck in spam or quarantine.
On a Windows PC please enable Windows Hello. On a Mac please enable TouchID. On an iOS, iPadOS, Android device please enable system lock.
All existing devices on that account and any backups are deleted.
On the phone, go to Settings / Users & accounts / Work account and remove the email you are using to login and try to log in again.
There are two benefits.
1) A user can add a new device by using the PID (backup code) instead of approving via a push from an existing device.
2) Once a backup is created, a user can only reset their manged account (e.g. M365, Google Workspace) by using an invite link from their adminstrator. A user is unable to reset their account by themselves. This adds addition protection for the user against account take over.
Web-AuthN is available on Safari on a MacMini when using a keyboard with TouchID. Alternatively, the user can use Chrome to have the Web-AuthN option.
The user needs to go to the device that is already setup and start adding an additional device from there.
The account language is based on the device language when the account was created and it is automatically set. It cannot be changed.
The app language is based on the device language when the device was added and it is automatically set. It cannot be changed.
Users can delete their device from their Self-Service Portal or from within the authenticator app.
On the Web-AuthN login page select Enable Another Account option to setup additional accounts on the same device.
AuthN does not work without a device lock. Please enable device lock on your tablet, smartphone or computer. For iOS, iPadOS, and Android you need to enable screen lock, for your PC please enable Windows Hello, and for your Mac please enable TouchID.
If you disable device lock on your tablet, smartphone, or computer, AuthN will no longer function. You will have re-enable your device as an authenticator.
All authenticator devices are deleted from the users account. The user can thereafter add devices to his/her account.
Users should ask an admin who is managing this email integration with AuthN to send them a one-time use magic-link for account recovery. This will allow them to enable their AuthN app as an authenticator. Thereafter the users can access their mailbox by using AuthN.
Probably there are multiple keys for your account stored in the TPM. Here is a guide how to delete them on a Windows PC:
1. Run CMD as administrator → type ‘Command Prompt’ in search bar on Windows, right click and select ‘Run as administrator'
2. In the CMD screen type: certutil -csp NGC -key
This will list all the keys. You’ll see the key in this format: `<sid>/<guid>/FIDO_AUTHENTICATOR//<rpIdHash>_<user id>`
3. Copy the key manually (without the ‘RSA’ at the end), and type in the next command providing the copied key:
certutil -csp NGC -delkey <key>
Press enter.
You should see ‘CertUtil: -delkey command completed successfully’
4. Repeat 3. step for every key.
Here is a guide how to delete them on a Mac:
1. Go to Safari > History
2. Click on Clear History. Please note this will clear all your History in addition to deleting your Web-AuthN keys.
Go to Settings -> Safari -> Request Desktop Website -> All websites.
Web-AuthN is currently not supported on Chrome Incognito mode on Windows 10 20H2. It is however supported on MacOS 11.6 and later.
Click on the cancel button and this will take you to the next window where you need to unlock your PC to authenticate to your website.
In order to use Web-AuthN on Safari on a Mac, the user must enable TouchID. Please enable TouchID on your Mac and try again.
Click outside of the pop-up and you will get an error, "Something went wrong. Please try again." Now click on login and unlock your phone to authenticate to the website. This is a known bug on iOS and it has been reported to Apple.
Switch to another app and go back to Safari and you will get an error, "Something went wrong. Please try again." Now click on login and unlock your phone to authenticate to the website. This is a known bug on iPadOS and it has been reported to Apple.
No problem. We offer offline login.