Identity Cloud

Tenant administrator settings


The tenant provisioning process initially creates a single administrator, known as the tenant administrator. A tenant administrator is authorized to configure realm and tenant settings, and to invite others to become tenant administrators. All tenant administrator identities get the same realm permissions, and these are not configurable.

You can invite, view, or edit tenant administrators by opening the account menu in the top right of the Identity Cloud admin UI, then navigating to Tenant Settings > Admins.

Tenant administrator sign-in

Tenant administrators access their sign-in page using a URL that specifies the realm as a forward slash:

  • https://<tenant-env-fqdn>/login/?realm=/#/

Upon successful authentication, a tenant administrator is automatically switched to the Alpha realm.

Multiple failed authentication attempts cause Identity Cloud to lock out a tenant administrator. For information about how to unlock an adminstrator’s account, see Unlock a tenant administrator’s account.

Edit your own tenant administrator profile

In the Identity Cloud admin UI, open the Tenant menu (upper right), and click your username.


On your tenant administrator profile page:

  • To edit your name or email address, click Edit Personal Info.
    Provide the information, then click Save.

  • In the Account Security card:

    • To change your username, click Update.

      • Enter your current password, then click Next.

      • Enter your new username, then click Next.
        You’ll receive an email confirming your username has been changed.

    • To change your password, click Reset.

      • Enter your current password, then click Next.

      • Enter your new password, then click Next.
        You’ll receive an email confirming your password has been changed.

  • By default, 2-Step Verification is enabled.
    For more information, see Manage tenant administrator 2-step verification.

Manage tenant administrator 2-step verification

2-Step verification, also known as multifactor authentication (MFA), prevents unauthorized actors from signing in as a tenant administrator by asking for another factor at authentication.

Identity Cloud provides two ways admins can sign in with a second factor:

When you sign in as a tenant administrator for the first time, Identity Cloud offers you choices, and guides you through the device registration process.

During registration, Identity Cloud displays 10 verification codes. Be sure to copy the codes and store them in a secure location.

  • You’ll use the verfication codes as recovery codes if you cannot use your registered device to sign in.

  • You can use each verification code only once. Then, the code expires.

  • If, for some reason, you need to re-register a device, first delete your previously registered device.

Change 2-Step verification options

  1. Open your tenant administrator user profile.
    In the Identity Cloud admin UI, open the Tenant menu and choose your tenant administrator username.

  2. On your tenant administrator user profile page, find 2-Step Verification and click Change.

    The 2-Step/Push Authentication page lists devices you’ve registered for MFA.

    To delete a device, click its More () menu, and choose Delete.

    • When you delete a device from the list, 2-step or push authentication is disabled. You cannot undo the delete operation.

    • Once you sign out and attempt to sign back in again, you will be asked if you want to set up a second factor.

Invite other tenant administrators

Send invitations to people when you want to authorize them to manage settings for your tenant.

  1. In the Identity Cloud admin UI (upper right), open the Tenant menu.

  2. Click Invite admins.

  3. In the Invite Admins dialog box, enter a comma-separated list of email addresses for the people you want to authorize.

  4. Click Send Invitations.
    Identity Cloud sends an email to each address, containing instructions to set up an administrator account.

After the invitee completes the instructions in the invitation email, the invitee becomes an administrator.

By default, new administrators are authorized with the same permissions as the tenant administrator.

View the tenant administrators list

From the tenant administrators list, you can invite new tenant administrators, deactivate tenant administrators, or delete tenant administrators.

  1. In the Identity Cloud admin UI, click the tenant name to expand the settings menu.

  2. Click Tenant Settings > Admins.

    • To invite a new tenant administrator:

    • To deactivate a tenant administrator:

      • Find an administrator with the label Active.

      • Click More (), and select Deactivate.

    • To delete a tenant administrator, click More (), and select Delete.

      When you deactivate a tenant administrator, their status changes, but they remain on the tenant administrators list.

      When you delete a tenant administrator, their username is removed from the tenant administrators list, and tenant administrator permissions are removed from their user profile. This operation cannot be undone!

Unlock a tenant administrator’s account

If Identity Cloud locks out one of your company’s tenant administrators due to multiple failed login attempts, the account can be unlocked.

If your organization has multiple tenant administrators, another tenant administrator can unlock the account:

  1. In the IDM admin UI, open the Tenant menu (upper right), and click your username.

  2. Click Tenant Settings > Admins.

  3. Find the entry for the administrator who was locked out.

  4. In the same row, click More () and choose Activate.

If your organization does not have multiple tenant administrators, submit a support ticket. Go to Backstage, and click Support.

Copyright © 2010-2022 ForgeRock, all rights reserved.