How to Enable MFA for a Subset of Users

Last updated: Jul 31, 2024

Overview

By default, once Multi-Factor Authentication (MFA) is enabled, it applies to all users in the tenant. This article details how MFA can be enabled for specific users.

Applies To

  • Multifactor Authentication (MFA)

Solution

First, ensure the tenant has the Require Multi-factor Auth set to None. Note that this setting will be overridden when MFA is implemented using Rules/Actions. Therefore, using Rules/Actions to conditionally enable MFA for specific users.

NOTE: Rules and Hooks will reach the end of life on November 18, 2024.

Follow the steps or video below.

The MFA challenge can be set up based on the user attribute on their profile. Here are the steps:

  1. Set the user.user_metadata.use_mfa attribute in the respective user profile to true or false using the Auth0 Management API: Auth0 Management API v2 endpoint. NOTE: the use_mfa is an invented user metadata object property, in this case, with a boolean value.
  2. Enable MFA using a Rule or Actions for specific users.

Enable MFA using Actions:

  1. Navigate to Actions > Flows.
  2. Click Login and create the Login flow.

An example flow has been provided below.

exports.onExecutePostLogin = async (event, api) => {

// uncomment the following if clause in case of wanting to request a second factor only from user's that have user_metadata.use_mfa === true

if (event.user.user_metadata && event.user.user_metadata.use_mfa){

api.multifactor.enable('any', {allowRememberBrowser: false});

}

};

Enable MFA using a Rule:

exports.onExecutePostLogin = async (event, api) => {

// uncomment the following if clause in case of wanting to request a second factor only from user's that have user_metadata.use_mfa === true

if (event.user.user_metadata && event.user.user_metadata.use_mfa){

api.multifactor.enable('any', {allowRememberBrowser: false});

}

};

Enable MFA using a Rule:


function (user, context, callback) {

// uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true

if (user.user_metadata && user.user_metadata.use_mfa){

context.multifactor = {

provider: 'any',

allowRememberBrowser: false

};

}

callback(null, user, context);

}

There are two ways to update the user_metadata object. Using the Dashboard or the Management API.

Steps using the Dashboard:

  1. Go to the Dashboard.

  2. Click on User Management in the left menu.

  3. Click on Users.

  4. Select the user from the list and click it.

  5. Scroll down until the Metadata section is displayed.

  6. Add the desired property to the User Metadata object section.

  7. Click Save.

Steps using the Management API:

  1. Get a Management API token for job endpoint requests and set it on the Management API explorer.

  2. Navigate to the Update a User endpoint.

  3. Insert the user ID to be modified.

  4. Add the desired property to the request Body.

  5. Click Test Endpoint.

Related References

2 Likes