Skip to main content
Solved

MFA QR code for AD account without mailbox


Forum|alt.badge.img+1

Hi Community,

I have configured MFA in Commvault before V11 FR24, at that time it is required to have functioning mail address to send secret key, that can can be used in Microsoft or Google authenticator., and I have also uses SAML and ADFS based MFA, but again they also depends on Azure AD or tools like okta to generate PIN.

 i read in one community post, from FR25 we can use accounts with QR code, and our admin accounts are not configured with mailboxes, and they don’t forward emails to user mailboxes.

we are using Microsoft authenticator for PIN generation, and Commvault is generating QR code for accounts with mailboxes, but not for accounts without mailboxes.

 

 

 

Best answer by Jos Meijer

Hi @Basavaraja 

I have checked and documentation for FR25 states the following requirements:

  • Configuring an Email Server

  • Assigning Email Addresses to CommCell Users

  • Synchronizing the System Time on the CommServe Computer

  • Optional: Customizing the PIN and Secret Key Emails Sent to Users

Also checked FR26, same requirements.
So it seems you still need an e-mail address configured.


I have not tested though with users which are synced from an Identity Server such as AD and so on.
In that situation you will automatically get users imported at logon, that being said as far as I know QR codes are only supported for local commcell users, not for SAML users. SAML users need the secret key provided in the very first e-mail to configure a tool to generate a PIN code.

View original
Did this answer your question?
If you have a question or comment, please create a topic

2 replies

Jos Meijer
Commvault Certified Expert
Forum|alt.badge.img+17
  • Commvault Certified Expert
  • 638 replies
  • Answer
  • April 16, 2022

Hi @Basavaraja 

I have checked and documentation for FR25 states the following requirements:

  • Configuring an Email Server

  • Assigning Email Addresses to CommCell Users

  • Synchronizing the System Time on the CommServe Computer

  • Optional: Customizing the PIN and Secret Key Emails Sent to Users

Also checked FR26, same requirements.
So it seems you still need an e-mail address configured.


I have not tested though with users which are synced from an Identity Server such as AD and so on.
In that situation you will automatically get users imported at logon, that being said as far as I know QR codes are only supported for local commcell users, not for SAML users. SAML users need the secret key provided in the very first e-mail to configure a tool to generate a PIN code.


Forum|alt.badge.img+1
  • Author
  • Bit
  • 1 reply
  • April 29, 2022

Thanks, @Jos Meijer

sorry the delayed reply, after upgrading to 26, we are able to configure MFA for admin accounts from AD without working email addresses, and we were able to successfully test MFA with DOU as well. can you please request documentation to be updated with DOU or provide some info on why Commvault suggests to use Microsoft or Google authenticator?


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings