Configure an MFA enrollment policy rule

Rules allow you to add conditions to your policy choices.

  1. Once you’ve created an MFA enrollment policy, click the Add Rule button to configure a policy rule.

Rule Name: Add a descriptive name for the rule you want to create.
Exclude Users: If needed, you can exclude individual users of a group from the rule.
IF user’s IP is:

Use the drop-down menu to enforce where the user will be challenged for authentication:

  • Anywhere: The user is challenged within the network or outside of it.
  • In zone: The user is only challenged if they belong to a preconfigured network zone.
  • Not in zone: The user is challenged if they do not belong to a preconfigured network zone.
THEN Enrollment is:
  • Denied
  • Allowed if required authenticators are missing
  1. Click Create Rule to save the conditions of your new rule.
  2. Select a rule, then perform any of the following actions:
  • Click Active: Use to activate or deactivate the selected rule. If you deactivate a rule, it will not be applied to any user, but you can reactivate it later.
  • Click Expand or the rule name: View details of the rule, such as excluded users.
  • Click Edit: Change settings of the rule.
  • Click Delete: Delete the select rule. A deleted rule cannot be recovered.
  1. To change the priority of a rule, drag the rule name above or below other rules in the list.

Related topics

Create an MFA enrollment policy

About MFA authenticators

Sign-on policies and rules