Skip to main content

MFA Policies

Policies decide when MFA is required, for whom, and with which factors. They're evaluated by priority; the first match applies.

Create a policy

  1. Go to Network → MFA → PoliciesNew.
  2. Set:
    • Name and Priority (lower = evaluated first).
    • Applies to — everyone, or a specific group / user set.
    • Decision:
      • Require MFA — challenge for a second factor.
      • Allow without MFA — let matching users through (e.g. an exception).
      • Deny sign‑in — block outright.
    • Allowed factors — which factors satisfy the challenge (TOTP / Push / passkey).
  3. Save.

Order matters

Put narrow exceptions (a service account, a trusted group) above your broad Require MFA rule. Test with a pilot group set to Require before applying org‑wide.

tip

A common shape: high‑priority "Allow without MFA" for a break‑glass admin group, then a catch‑all "Require MFA (Push, TOTP)" for everyone else.