Enforce MFA for non-SSO users

Dinesh90 · ‎07-09-2025

Hi Community,

@Ankur Bawiskar , @Chaitanya ILCR , @GlideFather @J Siva , @SANDEEP DUTTA @Aniket Chavan @Maik Skoddow @Mark Manders

I want to enforce MFA for particular users who are having emails with @abc.com domain. These users are non-SSO users.
I have enabled the "Enable Multifactor Authentication" field on user record but still users can simply login with user name and password without MFA, even it is not asking to setup MFA.
please guide how to enable MFA for particular users belong to a specific @abc.com email domain.
Even I have the checked the OOTB "Enforce MFA for non-SSO logins" authentication policy but not able to modify it to enable MFA for my usecase.
Kindly help

Ambuj Tripathi · ‎07-09-2025

Hi @Dinesh90

This is very interesting use case :).

As you are already on Yokohama, servicenow has enforced MFA for the non-sso logging users by default. Being said that, you can go through the the MFA Enforcement directive related details. You can go through the KB articles mentioned below and it will give you the insights of how and why are we inforcing it.

Since you have upgraded to yokohama, and you have got the new policy OOB in MFA Context - that is "Enforce MFA for non-SSO logins", this policy is actually tracking the users which are logging using username & password. This can be checked in the sys_user_mfa_enforcement_info table.

Reasoning behind this is, the end users will get some buffer time to familiarize themselves with the MFA, instead of suddently being enforced with MFA after the upgrade. I am putting the KBs added for the MFA enforcement here -

Concise KB about MFA Enforcement - KB1700938

Detailed FAQ KB About MFA Enforcement - KB1709783

Now coming to your use case, I see you have already enabled the Enable Multifactor Authentication flag for the users even then also they aren't getting the MFA enforced, because they are still in the self-enrolmentperiod (buffer-time to self-enrol themselves) as explained above.

From your question, I get that you want to enforce MFA for the users having @abc.com like email while doing local login. IFF that's what you are looking for precisely, then you can directly go to 2nd point. Otherwise you can go through all the below points and see which one suits your requirement -

1: If you want the Non-SSO users to do the local login with MFA enforced immediately, then as mentioned in the previous answers, you need to set the OOB available self-enrolment property value to 0.

glide.authenticate.multifactor.self_enrolment_period = 0.

This will enforce the MFA for all the users if they are doing local login irrespective of their email domain.

Note - This will enforce the MFA immediately for all the users doing local login after upgrade including the once with @abc.com domain.

2: Another way (require some customisations) to achieve this is -

2.1) Update status column of the existing entries for the users which satisfy your above criteria (domain = @abc.com) in the above table (sys_user_mfa_enforcement_info) to Enforced through gliderecord bulk update.

2.2) Add a custom BR on the above table, and run the above script on insert/update operation so that as soon as a user entry is created in this table with status = tracking, this BR updates it with status = Enforced if they satisfy your email domain criteria.

3: If you want to enable the MFA for these users even when they are doing the SSO login, that's also available. You have to enable another property to enforce that - glide.authenticate.mfa.with.multisso.enabled.

Please let me know if you have any followup questions on this. Would be happy to assist further.

Thanks!!

View solution in original post

Mark Manders · ‎07-09-2025

Since Zurich is almost around the corner, you will have to upgrade to either Yokohama or Zurich within the next 6 months. With Yokohama all users that aren't logging in through SSO will be required to log in with MfA.
I would plan to upgrade asap so ServiceNow will take care of the requirement themselves.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

Dinesh90 · ‎07-09-2025

we are already on yokohama, but instead of waiting to ServiceNow enforce the MFA, we want that to do for our users who are not able to login via SSO,
for the same could you please help with steps ? or on my use case ?

Ambuj Tripathi · ‎07-09-2025

Hi @Dinesh90

This is very interesting use case :).

As you are already on Yokohama, servicenow has enforced MFA for the non-sso logging users by default. Being said that, you can go through the the MFA Enforcement directive related details. You can go through the KB articles mentioned below and it will give you the insights of how and why are we inforcing it.

Since you have upgraded to yokohama, and you have got the new policy OOB in MFA Context - that is "Enforce MFA for non-SSO logins", this policy is actually tracking the users which are logging using username & password. This can be checked in the sys_user_mfa_enforcement_info table.

Reasoning behind this is, the end users will get some buffer time to familiarize themselves with the MFA, instead of suddently being enforced with MFA after the upgrade. I am putting the KBs added for the MFA enforcement here -

Concise KB about MFA Enforcement - KB1700938

Detailed FAQ KB About MFA Enforcement - KB1709783

Now coming to your use case, I see you have already enabled the Enable Multifactor Authentication flag for the users even then also they aren't getting the MFA enforced, because they are still in the self-enrolmentperiod (buffer-time to self-enrol themselves) as explained above.

From your question, I get that you want to enforce MFA for the users having @abc.com like email while doing local login. IFF that's what you are looking for precisely, then you can directly go to 2nd point. Otherwise you can go through all the below points and see which one suits your requirement -

1: If you want the Non-SSO users to do the local login with MFA enforced immediately, then as mentioned in the previous answers, you need to set the OOB available self-enrolment property value to 0.

glide.authenticate.multifactor.self_enrolment_period = 0.

This will enforce the MFA for all the users if they are doing local login irrespective of their email domain.

Note - This will enforce the MFA immediately for all the users doing local login after upgrade including the once with @abc.com domain.

2: Another way (require some customisations) to achieve this is -

2.1) Update status column of the existing entries for the users which satisfy your above criteria (domain = @abc.com) in the above table (sys_user_mfa_enforcement_info) to Enforced through gliderecord bulk update.

2.2) Add a custom BR on the above table, and run the above script on insert/update operation so that as soon as a user entry is created in this table with status = tracking, this BR updates it with status = Enforced if they satisfy your email domain criteria.

3: If you want to enable the MFA for these users even when they are doing the SSO login, that's also available. You have to enable another property to enforce that - glide.authenticate.mfa.with.multisso.enabled.

Please let me know if you have any followup questions on this. Would be happy to assist further.

Thanks!!

Dinesh90 · ‎07-09-2025

@Ambuj Tripathi : Thank you so much for your detailed reply and your response really helped. It is enforcing the MFA now if we change the status to enforced.
Could you please help me with the BR, I have tried with both before or after BR, with insert and update but it is not setting the status from tracking to enforce, after user is logged in with local cred, I have to manually set the status to enforce once the entry is there in table, then at the second time it is asking user to setup MFA..

Ambuj Tripathi · ‎07-09-2025

Hi @Dinesh90

As I mentioned, the existing users who have an entry here already, will not be getting updated. The BR will only be applicable for the new users.

Please make sure to add the additional checks whereever applicable.

Thanks!