Skip to main content

Enforcing Multi-Factor Authentication (MFA) Upon Scope Grant

Require Two-Factor Authentication (2FA) from users granting their consent to a service access scope.

Prerequisites

Add Service.

Enable Scope Governance for Users

  1. Navigate to Applications > Services > your service > Scopes.

  2. Select Govern Scopes.

  3. Enable the Human Users option.

  4. Optionally, restrict access by default with a policy for all new scopes.

    Tip

    If you wish, you may select the MFA User policy that will be applied to all new scopes that you add in the future requiring MFA from users that consent to access to those scopes.

  5. Close.

Require MFA From Users Granting Access to Scope

  1. Select the Assign Policy button next to the scope you wish to restrict with MFA Policy under the Users column.

    Assign Policy to User Enforcement Point

  2. Assign the MFA User policy.

    Assign MFA Policy to Scope

    Result: Users are required to authenticate using the second factor before granting their consent for client application to access protected scope.

    Scope with MFA policy
In this section: