Auto enrollement OWA exchange

Hello everyone,

I’m trying to implement a user-friendly TOTP enrollment process in privacyIDEA for new users in an enterprise environment, (Webmail exchange SE)

My goal is to avoid requiring users to manually access the privacyIDEA portal for enrollment. Instead, I’m looking for approaches such as:

• sending the TOTP QR code directly by email upon account creation,

• allowing a first login without TOTP, then presenting the QR code for enrollment,

• displaying the QR code within a corporate interface (e.g., webmail like OWA or an internal portal),

• or any other secure and practical method commonly used in enterprise setups.

Does anyone have recommendations, best practices, or examples of how to achieve this with privacyIDEA?

thanks

Hello,

My use case is almost identical to yours.
Windows RDP environment with TOTP and MS Authenticator and Exchange SE
I set it up two weeks ago and didn’t encounter any particular difficulties during the installation or configuration.
I don’t grant users access to the portal; instead, I generate the TOTP tokens myself and send an email with the QR code in PNG format. However, users can access their mailbox outside of RDP sessions; they can scan the QR code before their first login. I’m not sure if it’s possible to allow a first login without MFA.

After manually applying the following fix (which will be addressed in version 3.13.1), notifications work correctly. UserNotification event handler - email body always empty in 3.13

The Windows provider agent installs flawlessly on the first try. It offers a wide range of options.
I think it’s an excellent product with lots of features and support for a wide variety of token types.

Thank
Vincent