Users - Reset Password | Admin Guide - Zoho One

Domain dependence for user management actions

Admins reserve the right to manage users in their organization. However, there are certain restrictions imposed on admins when it comes to resetting a user's password or MFA and few other actions. These restrictions are dependent on the domain of the user's email address.

What is a domain name?

A domain name refers to the address of a website. In simple terms, if your house is a website, then the house address is the domain. When someone buys a domain, they become the domain owner. It's important for the owner to get their domain verified in Zoho One, in order to confirm their identity.
Domains can be broadly classified into verified and unverified domains.

Verified vs. unverified domains 

Let's look at a scenario to explain the difference between these types of domain.
Assume that Walter has bought the domain name zylker.com for his company. Next, he hires employees for his company, with each employee getting an email address with the domain zylker.com, such as megan@zylker.com and james@zylker.com. Since Walter owns the domain, he can verify it in Zoho One. Once it is verified, Walter can reset any employee's password.
Now, for some additional work, Walter hires external consultants. These external consultants will have corporate and personal email addresses of their own, for example, leonard@zohomail.com or antony@gmail.com. When Walter adds them to his organization in Zoho One, the domain of their email addresses cannot be verified in Zoho One since Walter doesn't own either of the domains. In such cases, Walter will not be able to reset their password.

What is the need for domain verification restriction?

By having domain verification restrictions, only the domain owner gets the authority to perform user action. If you own a domain and got it verified in Zoho One, you can perform all the user actions under that domain. However, if there are external users or users with personal emails, they will have to reset their passwords/generate backup code themselves for identification and security reasons.

Whose password can an admin reset? 

Admins can only reset the passwords for users with verified-domain email addresses. 
  1. If a user has only unverified domain or users without a confirmed verified-domain email address: They must reset their password themselves by signing into Zoho Accounts.
  2. Adding a new email: If a verified-domain email is added to a user's profile, it remains "unverified" until the user approves it. A consent email is sent to the user's primary email address. Once they approve the invitation, the email becomes verified.

What are all the actions that are restricted for admins to perform?

To strengthen account security and safeguard user management settings, we are imposing domain-based restrictions on certain admin actions. Until a user's email domain is verified and confirmed, admins cannot perform the following actions: 
  1. Reset MFA
  2. Enable/Disable MFA
  3. Generate backup code for a user
  4. Create Mailbox
This is to prevent unauthorized recovery or access attempts by ensuring that these actions are limited to users belonging to trusted, verified domains.