Domain Restriction for User Management Actions in Zoho One
Greetings, Zoho One Admins!
To strengthen account security further and safeguard user management settings, we are imposing domain-based restrictions for user account-focused admin actions in Zoho One.
In addition to
password reset of user, organization admins will now be restricted from performing the following actions:
- Reset MFA
- Disable MFA
- Generate backup code for a user
- Create Mailbox
- Manage email address
These actions will be permitted only for users belonging to verified domains within the organization.
Why is this restriction being imposed?
User management actions such as MFA resets, backup code generation, and email management directly impact a user's authentication and account recovery mechanisms. If misused, these actions can allow unauthorized access, account takeovers, or privilege escalation.
By enforcing domain verification, Zoho One ensures that only users who email domains are proven to be owned and controlled by the organization can have their sensitive security settings managed by the admins.
What is the limitation in the current architecture?
As admins in an organization have access to all the user's app data, they can perform sensitive user management actions on accounts associated with unverified or external domains. Due to this, there's a possibility of a security breach or data leak when an admin unintentionally controls the data upon a user joining or being invited to the organization.
What's getting protected?
To mitigate the issues in the previous architecture, we have now enforced domain verification to perform actions like MFA resets in Zoho One. By implementing this measure, only authorized users will have access to the domain, ensuring that data is prevented from misuse.
Regards,
The Zoho One Team.