B2B Multi tenant MFA

For my multi-tenant Saas Application, I am using a separate Application <-> Connection per customer.

Customers selectively are requesting for MFA. How Can I enable MFA for few customers and disable MFA for others. Basically, Can I enable/disable MFA per application or per connection ?

Hi @kartik.cds

Have you tried Auth0 Organizations? They may apply in your case.

To do your MFA, choose the “Never” option for MFA on the MFA page, and then use a rule to selectively enable MFA, There are several sample rules to choose from to get you started.



If using Organizations, you could store this at the organization metadata layer and then use a rule to trigger MFA.

function multifactorAuthentication(user, context, callback) {
  //Make sure the rule runs only for the application you are concerned about.
  if (context.clientID === 'REPLACE_WITH_YOUR_CLIENT_ID') { 
    // Run MFA for organizations that have metadata property called "mfa" set to "true"
    if (context.organization && context.organization.metadata && context.organization.metadata.mfa && context.organization.metadata.mfa == "true") { 
      context.multifactor = {
        provider: 'any',
        // optional, defaults to true. Set to false to force authentication every time.
        // See https://auth0.com/docs/multifactor-authentication/custom#change-the-frequency-of-authentication-requests for details
        allowRememberBrowser: false
  callback(null, user, context);

Alternately you could set the MFA provider that should be used in the org metadata…


Thanks for engaging in this one @adam.housman and @john.gateley !

Thanks @john.gateley @adam.housman for the prompt response. Organizations is good (but needs enterprise/startup license for that), but my use-case is well satisfied with the Application <-> Connection combo…
I will try your suggestion of using Rules with clientID conditions for application specific MFA.

Thanks again.

1 Like

No worries! Let us know if you have any further questions!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.