MFA enforcement at the environment level is designed to allow account administrators the ability to enable an additional layer of security for non-federated user access.
When accessing an MFA-enforced environment, non-federated users are required to provide an MFA verification code. They receive the code via their registered email address or authenticator app.
Federated users are not required to register or apply MFA, even if MFA is enabled on their environment. Instead, their login is verified by their Identity Provider (IdP) during the login process.
Account administrators can enforce MFA by configuring it as a prerequisite for accessing specific environments.
To enable MFA enforcement for a specific environment
Go to the Account Management and select the account containing the environment.
Go to Settings > Environments and, in the Environments table, find the environment where you want to enforce MFA.
In the Enforce MFA column, turn on the switch.
Confirm your selection when prompted.
Once enabled, MFA will be required for all non-federated users who attempt to access the environment.
Upon accessing an MFA-enforced environment, the MFA verification challenge is triggered even when the non-federated user is already logged in but was never challenged by the MFA.
If users never signed up for MFA TOTP, verify that their email address is valid. Also note that only the latest verification code is valid.
In rare cases, the account administrator can temporarily disable MFA enforcement for the affected environment to investigate the issue further.
No. Account administrators can enforce MFA only at the environment level. This ensures that, independent of whether the federated user has enabled MFA or not, they will be prompted for a verification code.
If a non-federated user accessing an MFA-enforced environment has not enabled MFA TOTP, the verification code will be sent to them via their registered email address. Otherwise, they can use the generated code in their registered authenticator app.