Hi there, I am trying to create an action to whitelist internal testing accounts from MFA for automated testing and other use cases. I have the action created but it seems that the adaptive MFA being enabled overrides where I have put
api.multifactor.enable(‘none’, {allowRememberBrowser: false});
For security reasons we want to keep the adaptive MFA so if users are logging in security and the risk score is low, they don’t need to use MFA, AND also whitelist our internal accounts.
Hi @shinkhouse
Thank you for reaching out!
Reading through your use-case, I believe the easiest way to accomplish this would be to add an attribute to the users’ app_metadata or user_metadata ( this one is has read/write properties which the user can change on their own, but should not be a problem for testing users) and invoke MFA according to this attribute through the use of a Post-login Action. You can use the event.user.app_metadata object to enforce MFA for users that have a specific attribute.
In order to keep Adaptive MFA active and also call the Action, you can enable the " Customize MFA using Actions" option, from the Security → Multi-factor Auth tab in your tenant, in order to implement custom logic for triggering MFA.
I recommend reading through our Knowledge Article on how to Enforce MFA for Internal Users but not for External Customers, which offers great tips on general MFA enforcement through Actions, which can be adapted to fit your case.
Hope this helped!
Gerald