Two-factor authentication for secure access to cloud apps in hybrid AD

In an earlier post, we dealt with the benefits of single sign-on (SSO) for cloud apps in hybrid Active Directory (AD). While SSO is good in the sense that it simplifies user access to multiple cloud apps, it doesn’t adequately shield users from compromised credentials. When a user’s password is compromised in an SSO environment, attackers gain access to multiple apps and resources. In this blog, we’ll look at how two-factor authentication (2FA) for SSO to cloud apps works as an extra layer of protection against credential-based cyberattacks.

Verifying user identities with 2FA mitigates security risks that exist when passwords are the only defense. 2FA differentiates users from hackers by verifying an entity’s identity using a second authentication factor, such as SMS or an email verification code, in addition to a username and password.

ADSelfService Plus provides 2FA for access to cloud apps. This is key to protecting SSO to these apps. With SSO paired with 2FA, as shown in Figure 1, users in a hybrid AD environment can access their enterprise applications with just one set of credentials in a secured manner.


Figure 1. How 2FA for cloud app access works in ADSelfService Plus.

Access control

Figure 2. Configuring 2FA for SSO to cloud apps in ADSelfService Plus.

ADSelfService Plus’ 2FA for protecting cloud apps provides 10 different types of authentication, as seen in Figure 2 above:

  • Email verification code
  • SMS verification code
  • Security question and answer
  • Duo Security
  • RSA SecurID
  • Google Authenticator
  • Mobile Authenticator
  • AD security questions
  • SAML authentication


ADSelfService Plus’ 2FA adds an additional layer of security when accessing apps in an SSO environment. While SSO enables convenient access to applications, combining SSO with 2FA protects access to data and improves the overall security posture of the organization.

See how ADSelfService Plus works in your environment.

** Optrics Inc. is an Authorized ManageEngine partner

The original article can be found here:

Leave a Reply

%d bloggers like this: