Auth0 asks for Guardian instead of any MFA provider

Hello everybody. I have added a Rule that enforces MFA only for users belonging to specific roles. You can find the rule below.

When the rule is off, MFA is correctly being asked for nobody.
As soon as I turn the rule on, Auth0 starts asking these users in our applications to enroll in Auth0 Guardian even if they have already configured an alternative MFA provider such as Google Authenticator.

Strangely, when these users try to login into (because some users are also Auth0 tenant admins), in this case the rule works correctly by just asking for ANY MFA token and it does not try to enroll users in Auth0 Guardian.

function multifactorAuthentication(user, context, callback) {
  const assignedRoles = (context.authorization || {}).roles || [];
  const requireMfaRoles = ["god"];
  const inCommon = assignedRoles.some(r => requireMfaRoles.includes(r));
  if (inCommon) {
    // Force 2FA
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
  callback(null, user, context);

Attached you can find a PDF screenshot that shows the configuration of MFA.

Multifactor Authentication.pdf (343.1 KB)

Thank you in advance.

I’ve just discovered that in order to use MFAs other than Auth0 Guardian you need to have an active Professional subscription. :sweat_smile:

1 Like

No worries! We’ve all been there! Thanks for sharing with the rest of community!