Create an MFA enrollment policy

MFA enrollment policies control how end users enroll in an authenticator. You can create and enforce policies and rules for specific authenticators, apply them to specific groups within your org and automatically enforce them for only those users.

  1. In the Admin Console, go to Security > Authenticators.

  2. Click the Enrollment tab.

  3. To create a new policy, click Add Multifactor Policy to open the Add Policy screen.

    • Policy name: Enter a descriptive policy name.
    • Policy description: Describe the elements of the policy
    • Assign to groups: Enter a predefined group. When text is entered, it will auto-complete the group name.
    • Effective factors: The factors you set up under the Factor Type tab appear here. Use the drop-down menu to define whether the option is required, optional, or disabled for that group. Note that when you disable an authenticator in a policy, end users will no longer be able to select that authenticator when signing in regardless of whether they were enrolled in that authenticator before.
  4. Click Create Policy to complete the process.
The following actions affect only a selected policy. Select the policy name in the list to select and display options.
  • Active button: Use to activate or deactivate the selected policy. If you deactivate a policy, it will not be applied to any user, but you can reactivate it later.
  • Edit button: Use to change elements of the policy.
  • Delete button: Use to delete the select policy. The default policy cannot be deleted. A deleted policy cannot be recovered.

Once your MFA enrollment policy is saved, you can configure it further by defining an MFA enrollment policy rule.

Related topics

Configure an MFA enrollment policy rule

Multifactor Authentication

About MFA authenticators

Sign-on policies and rules