Citrix Cloud

Manage Citrix Cloud administrators

Administrators are managed from the Citrix Cloud console. If you want to be added as an administrator to an existing Citrix Cloud account, an existing administrator of the account must invite you.

Citrix Cloud also supports using tokens as a second factor of authentication for Citrix Cloud administrators. After you’re added as an administrator, you can enroll your device in multifactor authentication and generate tokens using any app that follows the Time-Based One-Time Password standard, such as Citrix SSO or Google Authenticator.

Invite new administrators

After signing in to Citrix Cloud, select Identity and Access Management from the menu.

Citrix Cloud console with Identity and Access Management menu option selected

On the Identity and Access Management page, click Administrators. The console shows all the current administrators in the account.

Identity and Access Management page with Administrators tab selected

To invite an administrator:

  1. In Add administrators from, select the identity provider from which you want to select the administrator. Depending on the identity provider selected, Citrix Cloud might prompt you to sign in to the identity provider first (for example, Azure Active Directory).
  2. If Citrix Identity is selected, enter the user’s email address and then click Invite.
  3. If Azure Active Directory is selected, type the name of the user you want to add and then click Invite.
  4. Configure the appropriate permissions for the administrator. Full access (selected by default) allows control of all Citrix Cloud functions and subscribed services. Custom access allows control of the functions and services that you select.
  5. Click Send Invite.

Citrix Cloud sends an invitation to the user you specified and adds the administrator to the list. The email is sent from cloud@citrix.com and explains how to access the account. Citrix Cloud also displays the status of the invitation so you can see whether the user accepted it and signed in to Citrix Cloud.

When the administrator receives the email, they click the Join link to accept the invitation. Also, a browser window opens, displaying a page where they can create their password.

Note:

If the administrator already has an account, Citrix Cloud prompts them to use their existing password and sign in. After accepting the invitation, the administrator receives a welcome email and Citrix Cloud shows the administrator as “Active” in the console.

Modify administrator permissions

When you add administrators to your Citrix Cloud account, you define the administrator permissions that are appropriate for their role in your organization. However, from time to time, you might need to assign a different level of access to an existing administrator.

Only Citrix Cloud administrators with Full access can define permissions for other administrators.

To change existing administrator permissions:

  1. Sign in to Citrix Cloud at https://citrix.cloud.com.
  2. From the Citrix Cloud menu, select Identity and Access Management and then select Administrators.
  3. Locate the administrator you want to manage, click the ellipsis button, and select Edit access.
  4. To allow or disallow specific permissions, select Custom access.
  5. For each permission, select or clear the check mark as needed.
  6. Click Save Changes.

Enroll your device in multifactor authentication

To keep your Citrix Cloud administrator account safe and secure, use multifactor authentication when you sign in. Enrolling in multifactor authentication prevents unauthorized access to your administrator account and only requires a device, such as a computer or mobile device, with an authenticator app installed that follows the Time-Based One-Time Password standard, such as Citrix SSO.

Mandatory enrollment

Enrolling in multifactor authentication is required for all Citrix Cloud administrators. If you have not enrolled in multifactor authentication, Citrix Cloud prompts you to enroll when you sign in.

Multifactor authentication enrollment prompt

To enroll your device

During enrollment, Citrix Cloud presents a QR code that you can scan with your authenticator app. For a smooth enrollment process, Citrix recommends downloading and installing this app on your device beforehand. Citrix Cloud also generates one-time use backup codes that you can use to access your account in the event you lose your device or can’t use your authenticator app.

Notes:

  • When signing in to Citrix Cloud, verify that you are viewing the Citrix Cloud sign-in page at https://accounts.cloud.com. If you sign in to Citrix Cloud using a different URL (such as https://accounts-internal.cloud.com), enrollment in multifactor authentication fails.
  • Only administrators under the Citrix identity provider can enroll in multifactor authentication through Citrix Cloud. If you use Azure AD to manage Citrix Cloud administrators, you can configure multifactor authentication using the Azure portal. For more information, see Configure Azure Multi-Factor Authentication settings on the Microsoft web site.
  • After you enroll, multifactor authentication is used for all customer organizations that you belong to in Citrix Cloud. You can’t disable multifactor authentication after completing the enrollment process.
  • You can enroll only one device. If you enroll a different device later, Citrix Cloud deletes the current device enrollment and replaces it with the new device. See Change your device for multifactor authentication in this article.
  1. Go to https://citrix.cloud.com and verify that the URL redirects to https://accounts.cloud.com. Sign in using your Citrix Cloud credentials.
  2. If you are an administrator for multiple customer organizations, select one from the list.
  3. From the top-right menu, select My Profile. User menu with My Profile link highlighted
  4. In Authenticator app, select Set up authenticator app. Account Settings page with authenticator app setup link highlighted Citrix Cloud sends you an email with a verification code. Device registration email with verification code
  5. After you receive the email, enter the 6-digit verification code and your Citrix Cloud password and select Verify. Account verification page with verification code and password entries
  6. From the authenticator app, scan the QR code or enter the key manually. Your authenticator app displays an entry for Citrix Cloud and generates a 6-digit code. Download authenticator app screen with QR code and key highlighted
  7. Under Verify your authenticator app, enter the code from your authenticator app and select Verify code.
  8. Configure the following account recovery methods in the event you lose your device or can’t use your authenticator app:
    • Recovery phone (required): Select Add a recovery phone and enter a phone number that a Citrix Support representative can use to call you and verify your identity. Citrix Support uses this phone number only when you request help to sign in. Citrix recommmends using a landline phone number.
    • Backup codes (required): Select Generate backup codes to create a set of one-time use backup codes to help you sign in if you can’t use your authenticator app. When prompted, select Download codes to download your backup codes as a text file. Then, select I’ve saved these codes and select Close. Download backup codes screen with Download button and confirmation box highlighted
  9. Select Finish to complete the enrollment.

After successful enrollment, the Authenticator app section displays a green check mark and the My Profile page displays your configured recovery methods.

Account Settings page with Multi-Factor Authentication configured

The next time you sign in with your Citrix Cloud administrator credentials, Citrix Cloud prompts you for the verification code from your authenticator app.

Verification code entry page

Change your device for multifactor authentication

If you lose or want to change your enrolled device or reset your authenticator app, you can re-enroll in Citrix Cloud multifactor authentication.

Notes

  • Changing your device deletes the current device enrollment and generates a new authenticator app key.
  • If you are re-enrolling with the same authenticator app from your original enrollment, delete the Citrix Cloud entry from your authenticator app before you re-enroll. The codes displayed in this entry will no longer work after you complete re-enrollment. If you don’t delete this entry before or after re-enrollment, your authenticator app displays two Citrix Cloud entries with differing codes which can cause confusion when signing in to Citrix Cloud.
  • If you are re-enrolling with a new device and don’t have an authenticator app, download and install one from your device’s app store. For a smoother experience, Citrix recommends installing an authenticator app before you re-enroll your device.
  1. Sign in to Citrix Cloud and enter the code from your authenticator app. Verification form with Don't have your authenticator app highlighted

    If you don’t have your authenticator app, click Don’t have your authenticator app? and select a recovery method to help you sign in. Depending on the recovery method selected, enter the recovery code you received or an unused backup code and select Verify.

  2. If you are an administrator for multiple customer organizations, select any customer organization.
  3. From the top-right menu, select My Profile.
  4. In Authenticator app, select Change device. Login security section with Change device highlighted
  5. When prompted to confirm changing your device, select Yes, change device.
  6. Verify your identity by entering a verification code from your authenticator app. If you don’t have an authenticator app, select Don’t have your authenticator app? and select a recovery method. Depending on the recovery method you select, enter the verification code or recovery code you receive or an unused backup code. Select Verify.
  7. If you are using the device you originally enrolled and your original authenticator app, delete the existing Citrix Cloud entry from your authenticator app.
  8. If you are enrolling a new device and don’t have an authenticator app, download one from your device’s app store.
  9. From your authenticator app, scan the QR code with your device or enter the key manually.
  10. Enter the 6-digit verification code from your authenticator app and select Verify code.

Manage your verification methods

Important:

To ensure your Citrix Cloud account remains secure, keep your verification methods up-to-date with accurate information. If you lose access to your authenticator app, these verification methods are the only way you can recover access to your account.

Verification Methods section in My Profile console

Generate new backup codes

If you lose or need to generate more one-time use backup codes, you can generate a new set of backup codes at any time. After you generate new backup codes, be sure to store them in a safe place.

  1. Sign in to Citrix Cloud and enter the code from your authenticator app.
  2. If you are an administrator for multiple customer organizations, select any customer organization.
  3. From the top-right menu, select My Profile.
  4. Under Verification methods, in Backup codes, select Replace backup codes.
  5. Verify your identity by entering a verification code from your authenticator app.
  6. When prompted to replace your backup codes, select Yes, replace. Citrix Cloud generates and displays a new set of backup codes.
  7. Select Download codes to download your new codes as a text file. Then, select I’ve saved these codes and select Close.

Change your recovery phone number

  1. Sign in to Citrix Cloud and enter the code from your authenticator app.
  2. If you are an administrator for multiple customer organizations, select the customer organization from which you originally enrolled in multifactor authentication.
  3. From the top-right menu, select My Profile.
  4. Under Verification methods, in Recovery phone, select Change recovery phone.
  5. Enter the new phone number you want to use and then select Save.

Manage Citrix Cloud administrators