How To Enable MFA For A Subset of Users

Problem Statement:

By default, once MFA is enabled, it applies to all users in the tenant. Is it possible to enable MFA for specific users?

Solution:

First, make sure that your tenant has the Require Multi-factor Auth set to None. Note that this setting will be overridden when MFA is implemented using Rules/Actions. Therefore, using Rules/Actions to conditionally enable MFA for specific users.

We can set up triggering the MFA challenge based on the user attribute on their profile. Here are the steps:

  1. set the user.user_metadata.use_mfa attribute in the respective users profile to true or false using the Auth0 Management API: Auth0 Management API v2 endpoint

  2. enable the MFA using a Rule for specific users.

function (user, context, callback) {

// uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true

if (user.user_metadata && user.user_metadata.use_mfa){

context.multifactor = {

provider: 'any',

allowRememberBrowser: false

};

}

callback(null, user, context);

}
  1. Or enable MFA using Actions for specific users.

exports.onExecutePostLogin = async (event, api) => {

// uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true

if (event.user.user_metadata && event.user.user_metadata.use_mfa){

api.multifactor.enable('any', {allowRememberBrowser: false});

}

};

If you want to bulk update users’ user_metadata.user_mfa attribute, please refer to this FAQ.

References: