Create an authenticator enrollment policy

Create an authenticator enrollment policy to manage how and when your end users enroll authenticators. You can create policies specific to authenticators, user groups, and situations.

Before you begin

Configure the authenticators that you want your users to use. At least one authenticator must be enabled for authentication (MFA/SSO). The authenticators you configure must fulfill the security requirements of your org's sign-on policies. See Multifactor authentication.

Create an authenticator enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators. Open the Enrollment tab.
  2. Click Add a Policy. In the Add Policy window, configure the following options:
    • Policy name: Enter a descriptive policy name.
    • Policy description: Describe the elements of the policy.
    • Assign to groups: Enter one or more user groups to which this policy should apply.
    • Authenticators: The authenticators you've configured appear here. Use the dropdown menu to define whether the authenticator is Required, Optional, or Disabled.
      • Each authenticator enrollment policy must require at least one authenticator that's configured for authentication.
      • You can't disable an authenticator or set it to recovery only if it's required in any authenticator enrollment policy. Modify the policy to require another authenticator before updating the first authenticator.
      • End users don't see the disabled authenticator when signing in, even if they'd enrolled that authenticator.
  3. Click Create policy. The policy appears on the Enrollment tab.

Edit an authenticator enrollment policy

An authenticator enrollment policy is by default Active when you create it. To deactivate, click the Active dropdown for the policy and select Deactivate. An inactive policy isn't applied to any users.

To update the policy, click the Edit button for the policy. Make changes and click Update policy.

To delete the policy, click the Delete button for the policy. You can't delete the default policy. Once you delete a policy, it can't be recovered.

To reprioritize the policy, drag and drop the policy in the list to the desired level.

Next step

Configure an authenticator enrollment policy rule