Create an authenticator enrollment policy

Authenticator enrollment policies control how end users enroll in an authenticator. You can create and enforce policies and rules for specific authenticators, apply them to specific groups within your org and automatically enforce them for only those users.

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.

  3. To create a policy, click Add a policy to open the Add Policy page.

    • Policy name: Enter a descriptive policy name.
    • Policy description: Describe the elements of the policy
    • Assign to groups: Enter a predefined group. When you enter text, it auto-completes the group name.
    • Eligible authenticators: The authenticators you set up under the Setup tab appear here. Use the dropdown menu to define whether the option is Required, Optional, or Disabled for that group. When you disable an authenticator in a policy, end users can't select that authenticator when signing in regardless of whether they were enrolled in that authenticator before.
  4. Click Create Policy to complete the process.
The following actions affect only a selected policy. Select the policy name in the list to select and display options.
  • Active: Activate or deactivate the selected policy. If you deactivate a policy, it isn't applied to any user, but you can reactivate it later.
  • Edit: Change elements of the policy.
  • Delete: Delete the selected policy. The default policy can't be deleted. A deleted policy can't be recovered.

To customize the authentication policy, see Configure an authenticator enrollment policy rule.

Related topics

Configure an authenticator enrollment policy rule

Multifactor authentication

About MFA authenticators

Sign-on policies and rules