Cannot made enrollments by users

[inigotor81]

Hi everyone, I tried to configure MFA to be enrollment manage by users so I choose the mixed template, on the MFA providers I choose only code as default and email, on users management I import 2 test users disabled with chooose option as show on images:

Every time i tried to login this message shows:
![image](https://user-images.githubusercontent.com/19596970/213473474-bddc0111-14ff-4076-88f0-ad1c3fed19c2.png
I´m missing something?
Thank you so much!

[redhook62]

Hi @inigotor81

All the settings you have chosen are correct..
There is no reason that you cannot register, except that it is imperative that your data access account has read and write rights in your ADDS on all users.
check this: ADDS Rights

[inigotor81]

Thank you so much for your answer, I already check the data access account rights and it have the read/write permissions, If I change to the default template (mfa status optional- MFA can be disabled in options) I'm able to do the enrollment by users but the key is that I don't want the users have the option to disable MFA.
If i swtich to custom template with mfa status to mandatory I get the same error when I try to enroll a new user.

[redhook62]

Hi @inigotor81

It seems from the screenshots you made, that your users are marked as disabled.
Try to re-enable these users using the MFA console.

However, with the same configuration as you, we do not reproduce your problem.

Do you have any messages in the eventlog?
What is the exact configuration of "Active Directory Storage" in console?
can you take a screenshot?

regards

[inigotor81]

Hi @redhook62,
You are right, after I re-enable users and change the Active Directory configuration with ADDS Schema 2016, now we are able to made the enrollment by users.
Now I´m facing another issue, when I use the import AD users It´s possible to import all users in a OU , I configured a ADDS as Delegated admin user that only have admin rights to the OU where users I want to enable MFA, but when I tried to import a user or the whole OU Path nothing happens, I tried from console and also with powershell.

Thank you so much!

[redhook62]

Hi @inigotor81

If you have used the "Super Account", there is no problem with a delegated account, because the LDAP request will be made with the "Super Account".

I think you need to remove from the LDAP filter the first part containing CN=xxxxxx.

Otherwise, in order to confirm, disable LDAPS.

regards

[inigotor81]

Ok, thank you very much, is it possible to import the users from a group ?

[redhook62]

Hi @inigotor81

It is on an ldap filter that you have to work.
of the type of the following:
(memberof=CN=my Users,OU=Extranet,OU=ExternalApplications,DC=xxx,DC=xxxxxx,DC=com)

We are going to add an LDAPFilter property on the ADDS import

Regards

[redhook62]

Property LDAPFilter added to new version 3.1.2302.0

[inigotor81]

Thank you so much @redhook62 , I will try it this week.

[inigotor81]

Hi @redhook62 !
I tried the new version with the LDAPFilter property but I continue with the issue when I tried to import from LDAP, if check the event viewer can´t see any error when I execute the import command, however , everytime I change the MFA config I get this error in event viewer:

This is the ad import command without error but with 0 users imported:

Thank you so much!

[redhook62]

Hi @inigotor81

Firstly for the error message displayed, it does not impact your import procedure. It is just a message sent to the various MFA modules for notification purposes. noticeably when the configuration is changed. example: A modification of the configuration made with PowerShell, all the modules open on all the servers of the ADFS farm will receive a notification asking them to reload the config.
On each server run: restat-service mfanotifhub

Then, for your LDAP requests, you must indicate the LDAPPath path in addition to the LDAPFilter.
I invite you to validate your filter and query with a tool such as LDAPAdmin.

regards