Create an authentication enrollment policy

Authentication enrollment policies control how end users enroll in an authenticator. You can create and enforce policies and rules for specific authenticators, apply them to specific groups within your org and automatically enforce them for only those users.

  1. In the Admin Console, go to Security > Authenticators.

  2. Click the Enrollment tab.

  3. To create a new policy, click Add a policy to open the Add Policy screen.

    • Policy name: Enter a descriptive policy name.
    • Policy description: Describe the elements of the policy
    • Assign to groups: Enter a predefined group. When text is entered, it will auto-complete the group name.
    • Effective factors: The factors you set up under the Factor Type tab appear here. Use the dropdown menu to define whether the option is required, optional, or disabled for that group. Note that when you disable an authenticator in a policy, end users will no longer be able to select that authenticator when signing in regardless of whether they were enrolled in that authenticator before.
  4. Click Create Policy to complete the process.
The following actions affect only a selected policy. Select the policy name in the list to select and display options.
  • Active: Activate or deactivate the selected policy. If you deactivate a policy, it will not be applied to any user, but you can reactivate it later.
  • Edit: Change elements of the policy.
  • Delete: Delete the selected policy. The default policy can't be deleted. A deleted policy can't be recovered.

Once your authentication enrollment policy is saved, you can configure it further by defining an authentication enrollment policy rule.

Related topics

Configure an authentication enrollment policy rule

Multifactor Authentication

About MFA authenticators

Sign-on policies and rules