When you join an organization as a user, the admin of the organization will have certain privileges over your account. Your admin can:
- Do certain actions that you can do yourself (such as changing your password).
- Enforce you to follow certain rules and restrictions (such as enforcing multi-factor authentication, and IP-based access restriction).
- Perform critical actions (such as deleting your sessions, and deactivating your account).
The privileges of the organization admin over your account are described below:
Deactivate or close your account
Your organization admin can deactivate your account or close your account permanently, if they deem it necessary. If your account is deactivated, you will not be able to access the apps you were using before. If your account is closed, all the data associated with your account and the apps you use will be deleted.
Reset password and MFA
Your admin will be able to reset your password. If you forget your account password and are unable to reset it yourself, you can contact your admin to reset it for you.
If multi-factor authentication (MFA) is configured for your account, your admin will also be able to reset MFA for your account. So, if you are unable to verify using MFA and don't have backup verification codes, you can contact your admin to reset MFA for you. Once your admin resets MFA for your account, you can just sign in to your account without MFA and then re-configure MFA.
Enforce custom SSO authentication
Restrict federated sign-in
Federated sign-in allows you to sign in to your account using other services such as Google, Facebook, LinkedIn by linking these external accounts with your Zoho account. However, your admin can restrict you from linking these other services with your account and signing in using them.
Enforce IP-based access restriction
Through security policies, your organization admin can set up some IP addresses as "Allowed IP addresses" and let you access your account only from those IP addresses. If such a policy is enforced, when you try to access your account from an IP address that is not in the Allowed IP addresses list, you will be denied access.
Learn more about IP restrictionEnforce multi-factor authentication (MFA)
Multi-factor authentication (MFA) adds one or two extra layers of verification to your sign-in process, besides just entering your username and password. Although users can set up MFA for their account themselves, an organization admin can set up an MFA policy and enforce it for the organization users in order to dictate the organization's security practices.
Through MFA policy, the admin can define the following for organization users:
- Enforce specific MFA modes
There are four MFA modes available: Zoho OneAuth, SMS-based OTP, OTP authenticator, and Security key. The admin can set one or more of these modes as available MFA modes for your account. If your admin has set only one mode as available, you will need to set up that particular mode for your account. If there are two or more modes made available by your admin, you can choose which modes to set up for your account.
- Set MFA lifetime
If you frequently sign in from the same device using a particular browser, you can set it as a trusted browser and skip MFA verification whenever your sign in from that browser, for as long as the trust exists (i.e., MFA lifetime). Your admin can define how long this MFA lifetime should be. Your admin can also restrict you from trusting a browser, which means you will never be able to skip MFA verification.
- Allow/Restrict usage of backup verification codes
Backup verification codes allow you to recover your account if you are unable to verify using your MFA mode. You can generate these codes from accounts.zoho.com. But your admin can restrict you from generating and using these backup verification codes. If your admin has restricted backup codes and you're unable to verify using MFA, you will need to contact your admin to reset MFA for your account.
Set up and enforce password policy
Your admin can set up a password policy and enforce it for your account. Via the password policy, the admin can dictate your password's complexity, the minimum password age, and the maximum password age.
- Password complexity
The password complexity encompasses how long your password must be, whether it should contain any special characters, numbers, lowercase and uppercase alphabets.
- Minimum password age
This dictates the time duration between two successive password changes. For example, if your admin has set the minimum password age as 1 day, you can only change your password 1 day after the previous time you changed your password.
- Maximum password age
This dictates the maximum duration a password will be valid. For example, if your admin has set the maximum password age as 3 months, you will need to change your password every 3 months.
Enforce session policy
Your organization admin can define and enforce the following session policies for your account:
- Session lifetime
It means how long an active session can remain signed-in before it gets signed out automatically. By default, the session lifetime is 30 days. However, your admin can set the lifetime between 1 day to 30 days.
- Idle session timeout
It means how long an idle session can remain signed-in before it gets signed out automatically. Your admin can set the timeout up to a minimum of 30 minutes.
- Concurrent session limit
It means the maximum number of active sessions you can have at a time. The default limit is 50 concurrent sessions. However, your admin can set the limit between 1 session to 50 sessions.