Enable or disable multi-factor authentication for each directory or certain groups

Enable or disable multi-factor authentication (MFA) for each directory on an application or for some groups within the directory. By default, the directory inherits the MFA settings from the application. You can override this in the directory MFA settings.

If you have two active directories (ADs) assigned to the IdP of an application, for example, one is AD San Francisco and the other is AD New York, use this procedure to select just one directory to have MFA for the application.

Or, you can have MFA for users who are members of certain groups within the directory. Then MFA is prompted for users in those groups. All other users in other groups in that directory will not be asked for MFA.

How to

  1. Log in to the EAA Management Portal.
  2. From the top menu bar, click Applications.
  3. Click Settings > AUTHENTICATION.
  4. Click Directory MFA settings on the directory card you want to configure. The Settings dialog appears. Select one of the choices for MFA configuration:
    • Enable. If you want all users in this directory to be prompted for MFA before accessing this application.
    • Disable. If you want all users in this directory to not be prompted for MFA before accessing this application. All other applications under the IdP will keep the same MFA settings.
    • Use Application Setting (Default) The MFA settings of the application will be applied to this directory.
    • Enable for specific Groups. Use this option if you want users belonging to specific groups in the directory to have MFA.

    All groups appear in the dialog box. You can filter for the groups you want using the entering few characters of the groups name and clicking Search. Select the groups you want MFA and click Save.To apply MFA to all groups, click Select all and click Save. To make changes or deselect all, click Select none.

    For example, you have three groups, engineers, guests, and remote desktop users group within this directory. The admin has allowed MFA for only the engineers group. The guests and remote desktop users will not be prompted for MFA although they belong to the same directory.

  5. Click Save on the dialog.
  6. Click Save and exit.