User Management - Provisioning

All user management takes place in the Users section of  the Web Console. All ESA users must have valid mobile phone numbers, unless the user will authenticate using a Hard Token or FIDO authenticator. The phone number for each user is either entered manually when creating/editing the user in the Web Console, or imported along with the user information if synchronizing with LDAP, or entered by the user if self-enrollment is enabled.

Each user belongs to a realm (domain, computer name, etc.). Realms and users are created automatically when a user logs on a machine with an ESA component installed, logs in to a service protected by ESA, or if ESA is synchronized with LDAP. You can also create custom realms manually.

The image below shows a custom realm and an automatic realm. The custom realm was created manually (Custom Realm) and Test User user was added to it. The automatic realm, and its 2 users were created automatically (admin,Test). The realm name was taken from the computer where the Windows Login plug-in of ESA is installed and the 2 users are logged on. The status column indicates if the user has 2FA enabled (and used 2FA at least once) or not.



Create a custom realm manually

1.Click the icon_add-or-create icon next to Realms and click Create custom Realm.

2.Enter desired string  for both Realm ID and Realm Name, select Category and click Save.

Add user to a realm manually

1.Select the realm where you want to add the user.

2.Click Add user...

3.Enter the name and phone number of the user.

4.Click Create user.


Phone number format

Mobile numbers must be in international format  "+421987654321", where +421 is the country code. For example, a Slovak phone number 0987654321 would be entered as +421987654321 replacing the leading zero "0" with the country code "+421". A US phone number "201-321-4567" would be entered as "+12013214567", where "+1" is the country code.

You can also import users to a custom realm from a file.

Send mobile application to users

1.Select the check box next to users who will receive the mobile application.

2.Click Send application.

3.Close the confirmation window.


Enabling 2FA per user

Click a user and select the desired authentication options. OTP and Push authentication are the most convenient ones. If Hard Token OTPs have been enabled and imported, then Hard Tokens will be available in the drop-down menu under the Hard Token slider bar. Click Save to save the changes.



If an authentication method requires any information, a notification is displayed. You can still save the users's profile, and if self-enrollment is enabled, the user can fill in the missing information once they sign up for 2FA.

If Mobile Application OTP or Mobile Application Push has been turned on, a notification will display to remind you to send the enrollment/provisioning message to the user to activate the mobile application.



If you click Do not send or Cancel, you can use the Actions button to send the enrollment/provisioning message later. If you click Send, an information window will show you the unique application URL that has been sent to the user.

Enabling 2FA for multiple users at one time

1.Select the check box next to the users you are enabling 2FA for.

2.Click 2FA, select Enable and select the desired authentication option.

3.Close the confirmation window.


Instructions for installing and using the mobile application (click the desired mobile OS to be redirected to the corresponding article):



Windows Phone

See a list of IP addresses and ports used for communication with ESET Secure Authentication Provisioning Server.


Users change their phone number

If users change their phone number, the provisioning must be carried out again, however, the previous token(s) must be deleted from the mobile application. To delete a token, tap the tile to generate an OTP, when the OTP is visible, hold the tile and swipe left. Confirm the removal.