After you\u2019ve configured an MFA factor type, you need to require MFA on your users. If you don\u2019t, your users can log in to their resources with just their username and password. <\/p>\n\n\n\n
You can require MFA in the Admin Portal the following ways:<\/p>\n\n\n\n
To require MFA factors for the User Portal on an individual user account<\/strong>:<\/p>\n\n\n\n
To require MFA factors for the User Portal on existing users from the more actions menu<\/strong>:<\/p>\n\n\n\n
<\/p><\/div>
To require MFA factors with a Conditional Access Policy<\/strong>: <\/p>\n\n\n\n
There are two types of MFA enrollment for users:<\/p>\n\n\n\n
If you require MFA for your users with a Conditional Access Policy, users are forced to enroll in MFA the next time they log in. To require MFA for your users with a Conditional Access Policy, see Requiring MFA with a Conditional Access Policy<\/a> above. <\/p>\n\n\n\n
Soft TOTP MFA enrollment applies to TOTP MFA only. If there’s more than one MFA solution enabled, a user can select to enroll with an MFA solution that isn’t TOTP. After they finish setting up the non-TOTP MFA solution, they need to go back and enroll in TOTP MFA. If a user doesn’t enroll in TOTP MFA during the enrollment period, they are locked out of resources that are protected by TOTP MFA and you need to reset TOTP MFA for the user. <\/p>\n\n\n\n
You can start a soft TOTP MFA enrollment period from an individual user account or with the More Actions menu.<\/p>\n\n\n\n
To begin a soft TOTP MFA enrollment period from an individual account<\/strong>: <\/p>\n\n\n\n
To begin a soft TOTP MFA enrollment period from the more actions menu<\/strong>: <\/p>\n\n\n\n
When you begin an enrollment period, users receive an email notification. The email lets them know how long their enrollment period is and gives them a link to set up TOTP MFA. <\/p>\n\n\n\n
If a user doesn\u2019t set up TOTP MFA and the enrollment period expires, the user is locked out of their account, and you need to reset their enrollment period. <\/p>\n\n\n\n
To reset a user\u2019s TOTP MFA enrollment period<\/strong>:<\/p>\n\n\n\n
You can view users\u2019 TOTP MFA status to monitor who\u2019s set up MFA, still in the enrollment period, and has had the enrollment period expired. <\/p>\n\n\n\n
To view a users TOTP MFA status<\/strong>:<\/p>\n\n\n\n
The Users list MFA column, which defaults to TOTP, shows you a user’s TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:<\/p>\n\n\n\n
You can also view a user’s MFA status in their user details.<\/p>\n\n\n\n
You can filter the Users list to show MFA status and requirement. See Get Started: Users<\/a>. <\/p>\n\n\n\n
Learn more in Resetting MFA Enrollment for a User<\/a> above. <\/p>\n\n\n\n
<\/p><\/div>
When you begin an enrollment process, the following is what the user experience is like for a user who hasn\u2019t set up MFA:<\/p>\n\n\n\n
<\/p><\/div>
For backup purposes, we recommend that users copy and paste their TOTP key string below the QR code and store it in a secure location. This key can be used to reset TOTP MFA if a users loses their device with the TOTP token app.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
When a user’s enrollment is close to expiring, they are sent a reminder 24 hours in advance notifying them that their TOTP MFA enrollment period is about to expire. After their enrollment period expires, they are locked out of the User Portal until their TOTP MFA requirement is removed by an administrator or their enrollment time is extended. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Here’s a guided simulation: User Portal MFA TOTP Login<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"