Support for online Delegated Authorisers

Education Sector Logon (ESL)

Support for online Delegated Authorisers

This guide is intended to familiarise yourself with the key ESL Online Delegated Authoriser functions and responsibilities. It will show you how to invite staff to your organisation, and also how to maintain ESL user accounts for staff at your organisation.

Your role as an online Delegated Authoriser

As an ESL Delegated Authoriser, you will use ESL Online to view and maintain the ESL user accounts for your organisation and their access to Education Sector applications.

ESL Online provides a delegated authoriser with the ability to:

  • send invites to your staff so they can access applications on behalf of your organisation
  • maintain user details and access for your staff
  • unlock accounts for your staff that have 'Locked' their account
  • reset ESL passphrase for your staff
  • re-enable user's disabled accounts
  • generate a report with access details for your staff.

Logon via Self Service and use the Delegated Authoriser option on the black footer
To logon via Self Service, refer to How to use ESL: Self Service

Logon via ESL Online for Delegated Authorisers

a. Go to ESL Online for Delegated Authorisers: ESL Online for Delegated Authorisers
We recommend you save this URL as a favourite on any web browsers you use.

b. Enter your ESL username and passphrase and select ‘Login’.

You will be taken to the Delegated Authoriser Landing page.

Please Note: You must have the ESL Delegated Authoriser access role on your ESL user account to be able to login successfully.

How to get an Education Sector Login

The Delegated Authorisers Landing page should display your name next to the 'Logout' button on the top right of the screen. (If someone else's name is displayed please advise the Education Service Desk straight away.)

Support for ESL

A list of your staff that have an ESL user account is displayed to the right of "Search user". By default, up to 20 users can be shown on the screen at one time. Use ‘Previous’/’Next’ for more users. User details displayed are name, email address, username, and preferred name.

Screen shot - search users

Please note: This section to the right will be empty if your organisation has no ESL users.

This landing page's main function is to search for users within your organisation.

You can search for one or more users by using the various searchable fields. You can choose a user by selecting their name (shown as hyperlinked in blue) to view their account details. See details below about how to search User accounts. 

The left hand menu allows a Delegated Authoriser to carry out to additional user management functions such as invite user, search invites and run a report.

You can also switch between Delegated Authoriser access and Self-Service access. Self Service access allows you to view and manage some of your own ESL user account details. See instructions below about these options.

Please note: if you are a Delegated Authoriser for more than one organisation you must select the organisation you are wanting to administer from the Organisation field on the Search Users screen. 

You can find a user at your organisation by performing a search on the ‘Search users’ page.

Note: This is the same page as the Delegated Authoriser landing page (above).

Select the ‘Search users' function from the left hand navigation menu.
Enter search criteria and then press the ‘Search’ button.  

Search user criteria available are:

  • Username
  • Given name
  • Surname
  • Preferred Name
  • Organisation
  • Application
  • Email address or,
  • Date of Birth
  • Wildcards may be used – see explanation further down 

You may also choose to filter the selection to:

  • Show only enabled (active) users
  • Show only disabled (inactive) users
  • Sort users’ names by surname first then given name

The default search below shows users’ name are sorted by given name and then surname:

Screen image - Search users

This screen shows the sort by surname and then given name when you choose the ‘Show names by surname field’ checkbox.

screen image - search users

In the search results, the Name field contains a link for each user. Click on the link for the user and the details screen will be displayed for that user.

Common ways to search for users are via an Exact search or a Wildcard search. Examples of these search types are provided below.

Information yellow icon

Exact search

The search will return user details that are an exact match on the criteria that you enter.

For example: if your search criteria is Edwards (Surname field), then all users with a last name of Edwards will be returned.

Information yellow icon

Wildcard search

Wildcards take the place of one or more characters in a search term. A question mark (?) is used for single character searching. An asterisk (*) is used for multiple character searching. You can perform a wildcard search to return a larger group of users.

For example: if your search criteria is Edwards* (surname field), then all users with a last name that starts Edwards will be returned (i.e. Edwards will be returned as well as Edwardson).

screen image - wildcard search

New staff that require ESL user access to Education Sector Applications at your organisation must be invited. This applies even if the Staff Member has an existing ESL account, as the invite allows them to connect their account with your organisation. 

An invitation is not an ESL account.  It is the mechanism for connecting an ESL account to the DA’s organisation.  The person then has the opportunity to either create a new ESL account or connect their existing ESL account.  It is recommended to use an existing account because it is easier for someone to manage and remember one account.  Most ESL applications work using a single account.

Select the ‘Invite user’ option from the left-hand menu and you will see the below screen.

Screen shot - Invite user

Enter the user's personal details to exactly match their Evidence of Identity documents. Use the preferred name field to add a name someone generally uses if it is different from their given name in the EOI documentation. The fields with a red asterisk are mandatory (shown above with a green star).

Information yellow icon

E-mail address requirements 

ESL does not allow ‘Generic’ e-mail addresses. A generic e-mail is an address which multiple people have access to, such as ‘office@...’ or ‘admin@...’. If the user has supplied an e-mail like this, you need to request another e-mail address that only they can access.

Screen shot - generic email

If the e-mail address you enter is already in use in ESL, the user will be prompted to enter a different e-mail address while accepting the invite. The user may already have an ESL account with this address, which they should link to this invite.

There are application access roles available for a DA to allocate.  There may also be roles that a user might need that are not showing to a DA.   The reason these roles are unavailable for a DA to give is the access provisioning must be carried out by the technical support teams for the application.  There will be access request forms available for these application roles. 

This screen shows your Organisation Name and a list of available applications.

Screen shot - organisations

Here is where you will select the user’s Standard roles for the organisation that are necessary for them to carry out their responsibilities. 

Clicking on the name of the applications will expand to show the user roles available.  By giving them a role, you are enabling access to that application.

Note: The Education Sector Applications available to your organisation will vary, depending on your organisation type. Select at least one user role when inviting a new user.

No role selected warning message will appear if you attempt to send an invite without selecting any role(s).

Screen shot - no role selected

You may proceed with the invite if you are certain that the user doesn’t require any roles (i.e., access to any applications).

Generally, you should select the ‘Cancel’ button to go back to the invite user screen to select the relevant role/s for the staff member before choosing the invite button to proceed.

To send the user their e-mail invitation select ‘Invite’.

An email invitation will be sent to the user to complete the process, the below message will display in the top right corner of your page. 

Screen shot - invitation sent

Note: The invite will expire after 14 days if the user does not complete the invite process. If this happens, you can resend the invite.

Refer to 'Accept invitation' section on How to use ESL: User invitation - create a new account page.

Before you send staff an email invite, you need to confirm that you have sighted their Evidence of Identity documents. You can read more about EOI requirements at:

How to use ESL: Evidence of Identity

If you cannot see the ESL user’s EOI (Evidence of Identity) documents in-person then the process is as follows depending on who you are:

For the person requiring the ESL
  • If you can, please download and complete the ESL account request form (see How to get an Education Sector Logon | Applications & Online Systems).
  • Using your smartphone take:
    • a photo of the completed application form
    • a photo of your primary Evidence of Identity (EOI) document
    • a photo of your secondary EOI document
    • a photo of yourself holding the two EOI (you may ask someone else to take the photo if it's easier)

Then email these four photos to the Delegated Authoriser for your organisation. 

Note: if you do not know who the Delegated Authoriser for your organisation is please contact the Education Service Desk, via email or phone on 0800 422 599

For the Delegated Authoriser

On receipt of the four photos:

  • If you have access to ESL please process the user’s new ESL application in the normal manner.
  • If you do not have access to ESL then please send the access requests to Education Service Desk via email to

Please note that:

  • All access requests should be sent from the Delegated Authority for your organisation, including the form if you are able to 
  • They must be sent from the official organisation email address,
  • They must be a named email address not a generic account like
  • Must contain an email signature to illustrate who they are and what their role is.
For a new Delegated Authoriser
  • Using your smartphone take:
    • a photo of the completed ESL100 application form
    • take the 3 photos provided by your ESL user and send to your organisation’s principal, CEO or Centre Manager.
  • The Principal, CEO or Centre Manager should then email to Education Service Desk
For an MOE Internal staff member
  • Using your smartphone take:
    • a photo of the required completed form
    • a photo of your primary Evidence of Identity (EOI) document
    • a photo of your secondary EOI document
    • a photo of yourself holding the two EOI (you may ask someone else to take the photo if it’s easier)
      then email these four photos to your manager.
  • Approvals must be from the manager’s address.
For an Education Sector Organisation
  • Using your smartphone take:
    • a photo of the required completed form
    • a photo of your primary Evidence of Identity (EOI) document
    • a photo of your secondary EOI document
    • a photo of yourself holding the two EOI (you may ask someone else to take the photo if it’s easier)
      then email these four photos to your manager.
  • Approvals must be from the manager’s @sectororganisation address and sent via email to

Some application roles are set to Education Service Desk provisioned only. The checkbox is disabled. For Education Service Desk to add this role to the user, please download and complete an appropriate form (details below). You can find the forms here How to get an Education Sector Logon | Applications & Online Systems or use the link in ESL, see example below.

Screen shot - attendance

Information yellow icon

Education Service Desk Provisioned only - ESL forms

 User cohortApplicationESL Form
Early Childhood UsersEarly Learning information (ELI)ESL 21 Form
Secure Data PortalESL 39 Form
School UsersAttendance Service Application (ASA)Contact Education Service Desk
Tertiary UsersAttendance Service Application (ASA)Contact Education Service Desk
NZQA ExtranetESL 120 Form


Follow the steps below to update a user’s access to an ESL application.

Steps on updating access

  1. Log in to ESL Delegated Authoriser
  2. Use the search users screen to find the user who needs their access updated. Click on their name to view their account details. 
  3. From the User account details screen, select Edit roles and organisations.
    screen shot - steps on updating access
  4. From Edit roles and organisations, select the application you want to update for a user.
  5. Check the relevant checkbox to update their access.
    screen shot - e-asttle
  6. Click update at the bottom of the page to confirm the updated role access.
  7. For their permissions to be updated, the user must log out of ESL, restart their internet browser, and then log in to ESL. 

Important notes

  • The ESL user’s evidence of identity (EOI) date must be valid to add permissions to their ESL account. An invalid EOI will display as blank or as a default (01/01/1900). 
  • Some access roles need approval requiring Education Service Desk intervention (including Helios, ENROL and Ngā Kete). All other role changes you make in ESL online are available to your users immediately.
  • The education sector applications available to users will vary depending on their organisation type. 
  • Please note, it is the ESL delegated authoriser’s responsibility that all employees only have access to the ESL permissions required for their role.

For further assistance with your ESL, email 
or phone 0800 422 599.

Use the ‘Reset login details’ function, if a user has forgotten their username or passphrase, or they are locked out of their ESL user account. Once you have searched and selected a user account this function will appear in the menu on the left, select the ‘Reset login details’ option.

Screen shot - Delegated authoriser

As the Delegated Authoriser, you must confirm the identity of the user requesting any of the following three account recovery actions;

Information yellow icon

Reset passphrase 

Using this function will email a one-time passphrase to the user. This one-time passphrase will expire after 6 hours.


  • Once you have confirmed the identity of the staff member who requires one of the three account recovery actions please select the radio box confirming that As the delegated authoriser, I confirm the identity of the user requesting the account recovery action.
  • The user needs to login to ESL Self Service and use this one-time passphrase with their username to complete the passphrase reset process. This must be done before the one-time passphrase expires, the email advises the user of the expiry date and time.
Screen shot - reset user login details

screen image - reset passphrase

screen image - passphrase

Information yellow icon

Send username 

Using this function will send the username to the user's email address from the user details section. 

screen image - username

Information yellow icon

Unlock account 

This option can only be used to unlock an account that has an account status of Locked. This is useful to use when the user has been locked out of their account (by an incorrect passphrase being used too many times), but they can remember what their passphrase is.

screen image - user details

screen image - user's account


  • When a user has entered their security questions incorrectly, ESL will lock out this feature. The user will need to request a passphrase reset.  If they tell you that they are unsure of the answers to their Security Questions please advise them that once they have reset their passphrase the Self-Service page will display. On this page there will be an option for them to view the questions and change them.
  • Check that a user’s account is unlocked before resetting their passphrase.  They will not be able to update their passphrase if the account is locked.
  • Check that the user is not using an expired reset passphrase login link (this only lasts 6 hours).
  • Allow enough time for e-mail delivery before resending a reset passphrase link.  The user must use the last passphrase reset link sent, as this is the only valid one.
Information yellow icon

Re-enable a disabled account 

This option can only be used to re-enable an account that has an account status of disabled. This is useful to use when the user's account has been disabled (by inactivity or by a Delegated Authoriser)

Screen shot - search users

Find and click on the disabled user account you wish to re-enable (account status is denoted by a general prohibition sign next to the account name).

Screen shot - edit user details

The ‘disable reason’ is presented, and in this case, the account was disabled due to inactivity.
Click on “Edit user details”

Screen shot - account

Click on the User stats dropdown and change the status from Disabled to Enabled.

Screen shot - update

Scroll down the page until you see the Update button, click on it to lock in your status change.

Screen shot - Check roles to reminder

You will be prompted to check if the user's account still/only has the relevant roles they require.

Screen shot - the user's acct

A pop-up will advise you that the user's account has been updated. 

Screen shot - user details

You can also review the User Details section to ensure your changes have been set.


If a user’s invite has 'timed out' (invites expire after 14 days) before the user completed the invite process, or the invite was sent to an incorrect email address, then you can resend the invite.

  1. Select the "Search invites' function from the left hand navigation menu.
    Search for the user’s invite by entering relevant search information, then select ‘Search’. In the search results the Name field contains a link for each user.  Select the link for the user you want, then the invite details screen for that user will show.
    Delegated authorizer
    Note: the search invite function has a default setting to find pending and timed out invites (see checkboxes). You may change these to suit your search.
    When you have the search results the Name field contains a link for each user, when clicking the link for the user you want it will take you to the invite details screen for that user.
  2. From the invite details screen, click on ‘resend invite’.
    Check and – if required – update the email address before you resend the invite. 
    Confirm email address
    You can ‘Cancel invite…’ to delete the invitation.  Use this if details have been entered incorrectly, multiple invites have been sent or for any other reason the invite is no longer needed.

    Invite details

    The invite will stay in the system for 30 days.

A user can edit their own contact details (Preferred name, email address or phone number) by using ESL Self Service.

Any changes to a users personal details (Given names, Surname, Date of Birth or Gender) must be done by a DA or the Education Service Desk.

Any changes to identity details requires a new Evidence of Identity check be completed before the user can be updated. Enter the user's personal details to exactly match their Evidence of Identity documents. Use the preferred name field to add a name someone generally uses if it is different from their given name in the EOI documentation.
Following the ‘Search Users’ instructions, find and select the user account for update.

User account details

You can select ‘Edit user details’ from either of the places indicated above. This will display the below screen where you can update the user’s details.

Edit user details

Change any information you deem necessary and select ‘Update’.  This message will show in the top right corner of your page. The user will receive an automated email from ESL confirming that their details have been updated, the email will only confirm that there has been an update not the specifics of what has been updated.

Screen image - user's account updated

To log in to ESL as a Delegated Authoriser, you must first complete the following training:

  • ESL Delegated Authoriser Training Module
  • ESL Security Awareness and Privacy Best Practice Guide

You will be contacted by our Training Services team to book this training. Within 3 working days of completing the module you will be given the Delegated Authoriser Access.
To access and complete this training login to the Education Learning Management System -

A Delegated Authoriser functionality is pending status means your application has been processed, however you may not have completed the two training modules in our Learning Management System -

There are two training modules:

  • ESL Delegated Authoriser training and
  • ESL Security Awareness and Privacy Best Practice Guide. 

Once you have completed both training modules it can take up to 3 working days before you will be given Online Delegated Authoriser access. If after this time, you have not received an email stating you are now an Online Delegated Authoriser, please contact Education Service Desk on 0800 422 599 (NZ) or email

Review users’ access feature facilitates the review of all users and their roles in your organisation. It enables you to periodically confirm or reject their ongoing access in this screen. As a Delegated Authoriser you will be reminded to review each of your users’ roles after they have been assigned for 18 months, and subsequently again whenever 18 months pass since the last review.

screen image - review users' access

screen image - review users' access

Navigating to review users’ access

There are two ways to navigate to Review users’ access:

  1. By clicking the link under User Management.
  2. If you have roles ready for review, you will see a pop-up message when you log in. The message contains a link to Review users’ access:

Screen shot - search users

The total number of reviews pending will also be displayed on the menu link:

Screen shot - search users

What you need to do

If you are a Delegated Authoriser at more than one organisation, select the organisation you want to review from the drop-down menu.

On the screen, there will be a line representing each user-role relationship. E.g if a user has 5 different roles, you will see 5 entries for them on the screen which require review:

Screen shot - review users' access

Each line on the screen has two decision buttons: ‘Confirm’ and ‘Reject’. By clicking ‘Confirm’ you are verifying that the user still requires that role. If you click ‘Reject’, the role will be removed from that user as it is no longer required.

Once you ‘Confirm’ the role for a user, it will disappear from the list. You will see a confirmation message on top of the screen:

Screen shot - role review decisions

If you reject a role, you will be presented with a message informing you the role will be removed:

Screen shot - are you sure

You can sort on any of the rows by clicking on the top of the row.

You can search within any of the rows by typing in the search boxes at the bottom of the list.

 If a user is leaving your organisation then you will need to remove your organisation from the user’s ESL account to they cannot access applications on behalf of your organisation.

Please note: this action removes the user’s connection to your organisation, it does not remove their ESL account

Removing your organisation and access from a user

Search for the Users account and select ‘Edit roles and organisations’.

screen image - delegatated autoriser

screen image  roles and organisations


After selecting an organisation, select the red option ‘Remove user from organisation’, when the pop-up appears select ‘Confirm’.

Screen shot - are you sure

You can use the Reports functionality to get a list of all ESL user accounts at your organisation and their associated applications and access. Select the ‘Create’ link under Reporting in the left-hand side menu, the below will be displayed.

screen image - create reports

A report can be created to:

  • generate a list of all of your ESL users and their access for all Education Sector applications (you can do this by leaving the application field blank) 
  • generate a list of your ESL users for a specific Education Sector application (you can do this by selecting an application from the application field)
screen image - create reports

Once you ‘Create report’ it may take a few moments, or even up to a few minutes to generate the report. The below message will be displayed in the top right corner when you generate the report.

Screen image - creating report

Once the report is generated the page will refresh and the status will show as COMPLETED you can download the report by selecting the hyperlinked Report name, see below.

Screen shot - report name

A message indicating a successful download will show at the top of the screen (in the Microsoft Edge Browser).

screen image - downloads

The report will be generated as a Microsoft Excel download in CSV format.

School reports from ESL fifth screenshot

Once you have finished using ESL Online always use the logout link in the top right corner to terminate your session. This is a security requirement as an ESL user.

screen image - logout