MFA Policies
Policies decide when MFA is required, for whom, and with which factors. They're evaluated by priority; the first match applies.
Create a policy
- Go to Network → MFA → Policies → New.
- Set:
- Name and Priority (lower = evaluated first).
- Applies to — everyone, or a specific group / user set.
- Decision:
- Require MFA — challenge for a second factor.
- Allow without MFA — let matching users through (e.g. an exception).
- Deny sign‑in — block outright.
- Allowed factors — which factors satisfy the challenge (TOTP / Push / passkey).
- Save.
Order matters
Put narrow exceptions (a service account, a trusted group) above your broad Require MFA rule. Test with a pilot group set to Require before applying org‑wide.
tip
A common shape: high‑priority "Allow without MFA" for a break‑glass admin group, then a catch‑all "Require MFA (Push, TOTP)" for everyone else.