Greetings, Zoho Directory Admins!
This forum post is for every admin user who signed up before March 6, concerning a couple of changes in the Reset password flow, which are set to take effect from June 4.
The current flow allows a Zoho Directory admin to reset the password of any user of the organization, irrespective of the verification status of their email domain. To put it simply, a Zoho Directory admin can even reset the password of a user whose email domain isn't verified in Zoho Directory yet. Examples of such users with unverified domains who can co-exist with other users in an organization include clients, accountants, vendors, partners, and the like. Thus, an admin is granted immoderate access to reset the password for someone who could technically be outside the organization's sphere of verified domains. Entitling an admin to exert control over them might have significant security concerns, leading to the introduction of the new flow changes.
With the first one of the soon-to-come changes in place, the permission to reset someone's password will be restricted based on whether the domain is verified in Zoho Directory or not. Therefore, the admins cannot reset the password of any user whose email domain remains unverified. Once a user's domain is verified in a Zoho Directory organization, they can be regarded as a confirmed user of that organization and within the admin's scope of resetting their password.
Another change is the replacement of the option to
set any different password than the existing one with the easier method of
OTP verification. With this change, only an OTP is shared, and the account owner is allowed to reset their password on their own. The admin doesn't reserve the right to determine any user's password, thus averting even the slightest security issue possible.
Learn how to reset a user's password in Zoho Directory.
These changes are already in implementation by default for all new users who signed up after March 6 and also to potential newcomers henceforth. From June 4, this will be extended to old users too. Please be sure to have your users verified in your Zoho Directory organizations in order to avoid concerns as discussed earlier. Please note, any user can change their password at any time at
accounts.zoho.com.
Regards,
The Zoho Directory Team