Greetings from the Zoho Cliq team!

We’d like to share an important security update that has an influence on some admin actions such as password reset, MFA reset, and MFA backup code generation.

What’s changing?  

With our latest security enhancements, these admin operations will now be allowed only for users who have at least one verified organization email domain.

Why this change?  

Previously, admins could reset passwords for users whose email domains were not verified within their organization. This created a potential risk, especially for users who may also belong to other companies as vendors or contractors, opening the door to possible account-takeover scenarios.

To protect all our users, we now ensure that sensitive actions can be performed only when the user’s domain is verified and registered to your organization.

What should you do?  

If you notice that certain admin actions are restricted for a user, please check whether their email domain is verified.

You can learn how to verify your organization’s domains by referring to our help documentation.

 Note: To verify a domain, your organization must own a registered domain (purchased through Zoho Mail or a third-party provider) and complete verification via Zoho Mail or Zoho Directory using a paid plan. Verified domains will then be recognized automatically in Zoho Cliq.