# User Authentication

### Overview

This page details the processes for new users, account renewal and account expiry.

{% hint style="success" %}

#### Emails from Highlight

All emails will be sent from the **<noreply@highlight.net>** address
{% endhint %}

### New user

The new user process follows these steps:

1. New user is created by an Admin user, see [create user](https://support.highlight.net/help/admin/create_user) page
2. Admin user clicks **Save & Welcome** which sends an email to the new user. Also, a weekly scheduled report showing the top 10 heavily loaded watches will arrive in the new user's inbox each Sunday. Find out more about [scheduled reports](/reporting/network-reports/setup.md#scheduled-reports)

<figure><img src="/files/SXUNwsX4DJ3mhXKwxBJF" alt=""><figcaption></figcaption></figure>

New user clicks the **Set password** link in the email, creates new password and sets up [Multi-Factor Authentication](#multi-factor-authentication) (see next section).&#x20;

New user logs in for the first time, accepts our [terms and conditions](/getting-started/new-user/terms-and-conditions.md) and sees the **Let's get started** dialog&#x20;

<figure><picture><source srcset="/files/Gm8TbSpI9MY16y9lfXJu" media="(prefers-color-scheme: dark)"><img src="/files/Kzbs0FaQMdPvT0SahRxa" alt="Let&#x27;s get started modal"></picture><figcaption></figcaption></figure>

<figure><picture><source srcset="/files/S1jQ71PKRMX1VjqNb8Mj" media="(prefers-color-scheme: dark)"><img src="/files/lHAXa6siHLENSCyq2wRp" alt="Getting help modal"></picture><figcaption></figcaption></figure>

An **Account created** email is sent to the new user

<figure><img src="/files/0TiXBlLX4lad1HyM7EYw" alt=""><figcaption></figcaption></figure>

### Multi-Factor Authentication

Highlight's Multi-Factor Authentication (MFA) gives users a choice about their preferred secondary authentication method after username and password are entered. &#x20;

#### Initial MFA set up

<figure><img src="/files/g1hlGYabpGfwecD7WacJ" alt=""><figcaption></figcaption></figure>

Users can link their Highlight login with an authenticator app like Microsoft Authenticator, Google Authenticator, 1Password, etc. The set-up screens provide a QR code to do this or a manually entered key.  There's an additional option to verify via email. &#x20;

New users must enable MFA. Existing users can choose **Skip for now** for a period of time.  However, they will still be shown the MFA set-up screen on every login. &#x20;

#### Subsequent log ins&#x20;

<figure><img src="/files/8PeWMacZk1L5eA3rWFSN" alt=""><figcaption></figcaption></figure>

Users will need to verify their account with a code on every log in. &#x20;

### Federated Authentication for new users

Highlight supports multi-factor authentication and single sign-on through a process called **Federated Authentication** where password authentication is handed off to a third-party OAuth directory (typically Microsoft Azure AD).

There is the option to automatically create a new user in Highlight if that user has not previously logged in but has passed the authentication checks by the third-party provider. This is useful as new staff joining an organisation will be able to log into Highlight with no other admin intervention.

<figure><img src="/files/biJY0mObx4UG7uTYgSDU" alt="Edit Folder Authentication Tab - New users"><figcaption></figcaption></figure>

Auto-created users have the standard permissions (which include viewing heat tiles and details page, creating alerts and running reports). Extra admin permissions can be granted by other admin users if required.

Find out more about [how admin users can set up authentication](https://support.highlight.net/help/admin/create_tree#edit_a_folder_authentication_tab) and [contact us](/getting-started/contact-us.md) for assistance in setting up this feature.

### New user welcome process

When an Admin user clicks **Save & Welcome** the first **Welcome to Highlight** email is sent. The link to **Set password** expires 45 days from the date of the first welcome email. &#x20;

* If the user does not log in a week after the first email, a second welcome email is sent.
* If they do not log in after two weeks, a third welcme email is sent.&#x20;
* After 3 weeks, a final welcome email is sent.  See below for examples.

<figure><img src="/files/0V5WJbXU1k9kBSrPoPAW" alt=""><figcaption><p>If the new user does not log in, a further welcome email is sent after one week</p></figcaption></figure>

<figure><img src="/files/w5VJYj2r1jZ4gprQxKWK" alt=""><figcaption><p>If the new user still does not log in, a third further welcome email is sent after two weeks</p></figcaption></figure>

<figure><img src="/files/14ln4JowD18dDnz1IIDk" alt=""><figcaption></figcaption></figure>

If the new user does not log in after three weeks, a final welcome email is sent as shown above. &#x20;

If the user has not logged in within 45 days, their account is deleted.

An Admin user clicking **Save & Welcome** restarts the new user welcome process or (if 45 days have passed) the user will need to be recreated

### Account renewal

User accounts are set to expire after 3 months (for service providers) or 12 months (for customers). In order to renew a Highlight account, an existing user must confirm their email address. This can be initiated via the Home page or from an account renewal email which is automatically sent.

1. An existing user will see a message on the Home page for 14 days before their account is due to expire. They will also receive an email at 14 days and at 2 days prior to expiry (see steps 3 & 4)
2. The user clicks S**end renewal email** and the Home page message changes&#x20;
3. The user will receive an email like the one below
4. The user clicks the link in the email **(Renew your account now)** and the account is renewed

<figure><img src="/files/Lt47mlkmTxnc7guISCHF" alt=""><figcaption></figcaption></figure>

### Account expiry

1. When an account expires, the user will automatically receive a system email (see steps 4 & 5)
2. If a user attempts to log in to an expired account, the user sees a message **User account has expired**
3. After clicking the **Renew Account** link, the login screen shows **A renewal link email has been sent**

<figure><img src="/files/sI7HNVqcb8XPEKzpfLhI" alt="Account renewal screens"><figcaption></figcaption></figure>

1. The user will receive an email
2. Click the link in the email **(Renew your account now)** and the account is renewed

<figure><img src="/files/yYd9I2mvGVPELOKCEfFK" alt=""><figcaption></figcaption></figure>

If a user does not renew their account, Highlight will send the renewal email every 3 months, then an email at 11 months specifying the date the userid will be removed, and a final email 2 days before removal. Expired user accounts are automatically removed from Highlight after 12 months.

<figure><img src="/files/k6qzNK6BITU4DHwExQiE" alt=""><figcaption></figcaption></figure>

### Forgotten password

Users can request their own password reset, if needed:

<figure><img src="/files/kmGWJrYLz9eJsTjczon8" alt="Forgot Password workflow"><figcaption></figcaption></figure>

The user will receive an email: &#x20;

<figure><img src="/files/zw3N6LrcwWHk7q0oHppH" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.highlight.net/getting-started/new-user/user-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.