Skip to main content

Enforce MFA during scope granting

Require Two-Factor Authentication (2FA) from users before granting consent to a service access scope.

Prerequisites

Enable scope governance for users

  1. In the target workspace, from the left sidebar, go to Applications > Services > your service > Scopes.

  2. Click Govern Scopes.

  3. Slide the Human Users toggle to On.

  4. Optional. Restrict access by default with a policy for all new scopes.

    Select the MFA User policy to apply to all future scopes. This policy will require MFA from users who consent to access those scopes.

  5. Close.

Require MFA from users granting access to scope

  1. Go to the Scopes section.

  2. Next to the scope you want to restrict with an MFA policy, click the Assign Policy icon under the Users column.

    Assign Policy to User Enforcement Point

  3. Select the MFA User policy Save your changes.

    Assign MFA Policy to Scope

    Result: Users must authenticate with the second factor before granting consent for a client application to access the protected scope.

    Scope with MFA policy