Symantec VIP integration with Entra ID allows end users to register credentials through MyVIP portal
Article ID: 438373
Updated On:
Products
Issue/Introduction
Entra ID integrated with Symantec VIP will automatically direct end users to the MyVIP Portal (self-service) if they do not have any registered credential.
This could be potential security concern if a bad actor was able to authenticate through first factor credentials and then be allowed to also register their own 2FA credential.
Environment
Symantec VIP integrated with Entra ID.
Cause
There is not a way to prevent the inline provisioning through Entra ID. The users will be created within VIP Manager and be automatically redirected to the MyVIP page after succeeding with first factor credentials.
Resolution
There are policies however to limit the user's access once they land on the MyVIP portal page:
- Require the users to authenticate for first time access (If they do not already have a credential registered, then they still need an OTP code) -- This would require the user to get a temporary code from a VIP Administrator or request a temporary code be sent to their AD out-of-band attributes (Email, SMS, Voice options).
- The MyVIP portal can also disable inline credential registration through the MyVIP portal itself -- This would require an administrator to register their credential before they can access the page
You can access both of these policies through the VIP Manager > Policies page. For a more detailed explanation of each policy, click on the "Edit" button and then select the "?" next to each policy:
Feedback
