Add User Accounts
Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
There are two ways to add AuthPoint user accounts:
- Sync users from an external user database
- Add WatchGuard Cloud-hosted AuthPoint users to the WatchGuard Cloud Directory
Each user must be a member of a group. You must add at least one group before you can add users to AuthPoint. For more information, see Add AuthPoint Groups.
Sync Users from an External User Database
To sync users from Active Directory, Azure Active Directory, or an LDAP database, you must add an external identity in the AuthPoint management UI. External identities connect to user databases to get user account information and validate passwords.
- To sync users from Active Directory or an LDAP database, you must add an LDAP external identity
- To sync users from Azure Active Directory, you must add an Azure AD external identity
When you sync users from an external user database, you can sync any number of users and they are all added to AuthPoint at one time. Users synced from an external user database use the password defined for their user account as their AuthPoint password.
To learn how to sync users, see Sync Users from Active Directory or LDAP and Sync Users from Azure Active Directory.
Azure AD external identities do not require the AuthPoint Gateway.
To delete an AuthPoint user account synced from an external database, we recommend that you remove the user from their AD, LDAP, or Azure AD group to give them the Quarantined status in AuthPoint, then delete the user account in AuthPoint.
Add WatchGuard Cloud-Hosted AuthPoint Users
You create WatchGuard Cloud-hosted users and groups from the WatchGuard Cloud Directory in WatchGuard Cloud. Directories and Domain Services is where you add shared authentication domains for WatchGuard Cloud devices and services, such as AuthPoint.
Users that you add to the WatchGuard Cloud Directory are automatically added to AuthPoint as well.
You add local AuthPoint users form Directories and Domain Services. You manage the users in AuthPoint on the Users page.
When you add local AuthPoint users, you choose whether the user is an MFA user or a non-MFA user.
- MFA users are user accounts that will use AuthPoint multi-factor authentication to authenticate. This is not related to the AuthPoint Multi-Factor Authentication license type.
- Non-MFA users are users that will only ever authenticate with a password, such as a service account user. Non-MFA users do not consume an AuthPoint user license and cannot authenticate to resources that require MFA. They can only authenticate to protected resources if the non-MFA user account has a password only authentication policy for that resource.
After you add a user, you can edit the user account if you need to change their account type. When you change a user account from MFA to non-MFA, AuthPoint deletes the tokens and password vault (if applicable) that belong to the user. This action cannot be undone.
Because you can create only one user at a time, you most commonly create local users this when you want to create test users or to add only a small number of users.
Unlike users synced from an external user database, local AuthPoint users define and manage their own AuthPoint password. When you add a local user account, the user receives an email that prompts them to set their password.
To learn how to add WatchGuard Cloud-hosted AuthPoint users to the WatchGuard Cloud Directory, go to Add Local Users to an Authentication Domain.
Sync Users from Active Directory or LDAP
Sync Users from Azure Active Directory