Overview
This article explains how MFA can be triggered for certain Active Directory user groups using Actions. There will be two Actions with the following use cases:
- Triggering MFA for one Active Directory user group.
- Triggering MFA for multiple Active Directory user groups.
Applies To
- Actions
- Multifactor Authentication (MFA)
- Active Directory Groups
Solution
-
Action #1: Triggering MFA for one Active Directory user group:
a. Create a new post-Login Action in the Auth0 Dashboard.
b. Paste the below Action code in the editor:exports.onExecutePostLogin = async (event, api) => { const allowedGroup = "Group1" //Only check for the relevant AD connection (this could alternatively use event.connection.id) if(event.connection.name === 'ActiveDirectoryGroupName') { if (event.user.groups.includes(allowedGroup)) { api.multifactor.enable('any', { allowRememberBrowser: false }); } } };c. Update the code to reflect the allowedGroup and event.connection.name
d. Deploy the Action and attach it to the Login Flow. -
Triggering MFA for multiple Active Directory user groups:
a. Create a new post-Login Action in the Auth0 Dashboard.
b. Paste the below Action code in the editor:exports.onExecutePostLogin = async (event, api) => { const allowedGroup = ["Group1", "Group2"] //Only check for the relevant AD connection (this could alternatively use event.connection.id) if(event.connection.name === 'ActiveDirectoryGroupName') { if (event.user.groups.some(group => allowedGroup.includes(group))) { api.multifactor.enable('any', { allowRememberBrowser: false }); } } };c. Update the code to reflect the allowedGroup and event.connection.name
d. Deploy the Action and attach it to the Login Flow.
NOTE: The above code is just an example and should always be subject to testing and vetting in development/staging tenants before deploying to production.