Multiple Concurrent Enrollment Types


The powers that be want to allow self-enrollment in conjunction with syncing our AD users via security group(s). We have two user camps we need to accommodate; proficient users that want to enroll on their own and the polar opposite that need walked through the process.

I’ve read a number of KB’s where partially enrolled users have issues with authentication, some apps don’t allow for the completing the enrollment process even if they’re configured to bypass. I’d like to know if there is some middleground for a mixed deployment.

I’d greatly appreciate any insight or alternatives that others may have implemented to allow multiple enrollment types.

The projected configuration would be as follows:

  1. Use Directory Sync with Active Directory using 2 different security groups
    • Enrollment Session Group - As user group session participants are added to the group before the
      scheduled session and emailed a link to complete enrollment.
    • All Employees Group - synchronize all users usernames without phone numbers. This should leave
      the users partially enrolled.
  2. User Self Enrollment
    • Users will have already been partially enrolled by the “All Employees Group”.


You are correct partially enrolled users will have issues accessing protected apps prior to completing enrollment. Also once a user is synced via AD they are partially enrolled and AD exclusively handles some attributes like Group Membership which could make it difficult to do what the “Powers That Be” would like.

When we deployed to our organization we did an AD sync before we deployed any applications with plenty of user outreach with instructions on how to complete enrollment. We were able to watch the status of enrollment and target email to users that were failing to complete enrollment. Prior to protecting any applications.

Hope this helps.