for an apple review account we disabled mfa for a specific email address like described here:
Is this still valid? It worked a while ago, I just retested and can not get it to work. I get prompted all the time for an one time password.
In security > mfa “require mfa” is set to always and I also enabled “customize mfa factors using actions”.
Did something change or what could cause this?
I also added some logs in the action to verify that the correct mail is set and the skip mfa boolean is set to true. I also verified that it navigates within the if statement where api.multifactor.enable(“none”) is invoked.
The documentation that you mentioned should still be accurate and up to date, as testing on my end results in the target email address/user not being prompted for MFA.
Could you please check in your tenant if under Security → Multi-factor Auth, you have the " Customize MFA factors using Actions " enabled? In order to go through the Action, the toggled should be turned on.
Another thing to double-check would be that the email address of the user within the script matches exactly and there are no whitespaces/extra characters etc.
If this is not the case, please confirm if the Action works with the older Node 18 version, but does not work with Node 22 ( latest version). There might be some changes with the latest Node that could be affecting the Action, let me know if you notice any difference.
thanks for your answer. Yes, as I said the setting in security > mfa is set. Also, the logs of the action show that on login the mail of the event is equal to the mail defined in the action since the log statement in the skipMfa if statement is invoked.
I also saw that the node version of the action was outdated and already updated, which did not change anything unfortunately.
I am a bit confused, with the log I am pretty confidend that api.multifactor.enable("none"); should be executed, but I am still prompted for a factor.
It seems to be related to the passkeys prompt. When I just click through it (dont create a passkey, just do “not now”) the mfa prompt always appears. If I click the “dont show me again” option for the passkey the action bypassing mfa works.