Enforce MFA for non-SSO users

Dinesh90 · ‎07-09-2025

Hi Community,

@Ankur Bawiskar , @Chaitanya ILCR , @GlideFather @J Siva , @SANDEEP DUTTA @Aniket Chavan @Maik Skoddow @Mark Manders

I want to enforce MFA for particular users who are having emails with @abc.com domain. These users are non-SSO users.
I have enabled the "Enable Multifactor Authentication" field on user record but still users can simply login with user name and password without MFA, even it is not asking to setup MFA.
please guide how to enable MFA for particular users belong to a specific @abc.com email domain.
Even I have the checked the OOTB "Enforce MFA for non-SSO logins" authentication policy but not able to modify it to enable MFA for my usecase.
Kindly help

Ambuj Tripathi · ‎07-09-2025

Hi @Dinesh90

This is very interesting use case :).

As you are already on Yokohama, servicenow has enforced MFA for the non-sso logging users by default. Being said that, you can go through the the MFA Enforcement directive related details. You can go through the KB articles mentioned below and it will give you the insights of how and why are we inforcing it.

Since you have upgraded to yokohama, and you have got the new policy OOB in MFA Context - that is "Enforce MFA for non-SSO logins", this policy is actually tracking the users which are logging using username & password. This can be checked in the sys_user_mfa_enforcement_info table.

Reasoning behind this is, the end users will get some buffer time to familiarize themselves with the MFA, instead of suddently being enforced with MFA after the upgrade. I am putting the KBs added for the MFA enforcement here -

Concise KB about MFA Enforcement - KB1700938

Detailed FAQ KB About MFA Enforcement - KB1709783

Now coming to your use case, I see you have already enabled the Enable Multifactor Authentication flag for the users even then also they aren't getting the MFA enforced, because they are still in the self-enrolmentperiod (buffer-time to self-enrol themselves) as explained above.

From your question, I get that you want to enforce MFA for the users having @abc.com like email while doing local login. IFF that's what you are looking for precisely, then you can directly go to 2nd point. Otherwise you can go through all the below points and see which one suits your requirement -

1: If you want the Non-SSO users to do the local login with MFA enforced immediately, then as mentioned in the previous answers, you need to set the OOB available self-enrolment property value to 0.

glide.authenticate.multifactor.self_enrolment_period = 0.

This will enforce the MFA for all the users if they are doing local login irrespective of their email domain.

Note - This will enforce the MFA immediately for all the users doing local login after upgrade including the once with @abc.com domain.

2: Another way (require some customisations) to achieve this is -

2.1) Update status column of the existing entries for the users which satisfy your above criteria (domain = @abc.com) in the above table (sys_user_mfa_enforcement_info) to Enforced through gliderecord bulk update.

2.2) Add a custom BR on the above table, and run the above script on insert/update operation so that as soon as a user entry is created in this table with status = tracking, this BR updates it with status = Enforced if they satisfy your email domain criteria.

3: If you want to enable the MFA for these users even when they are doing the SSO login, that's also available. You have to enable another property to enforce that - glide.authenticate.mfa.with.multisso.enabled.

Please let me know if you have any followup questions on this. Would be happy to assist further.

Thanks!!

View solution in original post

GlideFather · ‎07-09-2025

Hi @Dinesh90,
please refer to these:

Let me know how does it go!

———
/* If my response wasn’t a total disaster ↙️ ⭐ drop a Kudos or Accept as Solution ✅ ↘️ Cheers! */

Dinesh90 · ‎07-09-2025

@GlideFather : Thanks for you response. I have already gone through these docs, but didn't help for my issue.
Can you please have a look on my ask in the initial post and help !

SANDEEP DUTTA · ‎07-09-2025

Hi @Dinesh90 ,

Currently, According to the MFA policy, eligible users who have not completed the MFA setup will have a 30-day self-enrollment period. This is controlled using the system property glide.authenticate.multifactor.self_enrolment_period . The property's default value is 30 days. It can be updated to a maximum of 90 days.

With the default secure MFA policy, MFA is not required for users having the snc_external role.

- Admins can modify this behavior and enforce MFA for external users by updating the MFA policy conditions.
- External users already undergoing MFA before the upgrade to Yokohama or later release will continue to have MFA.
- External users can visit their profile and self-enroll for MFA.

So, what you can do is, change the default value of the above property to 1-2 days, so they will be automatically taken cared of, and they need to register for MFA.

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

Dinesh90 · ‎07-09-2025

I don't want to modify the days value in system property.
Do you have any way which can help me for my use case ? only enforcing users with particular email domain (example email - contains @abc.com) . I have enabled a checkbox "enable MFA" on user record, but its not enforcing MFA.