Enforce MFA for non-SSO users

Dinesh90 · ‎07-09-2025

Hi Community,

@Ankur Bawiskar , @Chaitanya ILCR , @GlideFather @J Siva , @SANDEEP DUTTA @Aniket Chavan @Maik Skoddow @Mark Manders

I want to enforce MFA for particular users who are having emails with @abc.com domain. These users are non-SSO users.
I have enabled the "Enable Multifactor Authentication" field on user record but still users can simply login with user name and password without MFA, even it is not asking to setup MFA.
please guide how to enable MFA for particular users belong to a specific @abc.com email domain.
Even I have the checked the OOTB "Enforce MFA for non-SSO logins" authentication policy but not able to modify it to enable MFA for my usecase.
Kindly help

Ambuj Tripathi · ‎07-09-2025

Hi @Dinesh90

This is very interesting use case :).

As you are already on Yokohama, servicenow has enforced MFA for the non-sso logging users by default. Being said that, you can go through the the MFA Enforcement directive related details. You can go through the KB articles mentioned below and it will give you the insights of how and why are we inforcing it.

Since you have upgraded to yokohama, and you have got the new policy OOB in MFA Context - that is "Enforce MFA for non-SSO logins", this policy is actually tracking the users which are logging using username & password. This can be checked in the sys_user_mfa_enforcement_info table.

Reasoning behind this is, the end users will get some buffer time to familiarize themselves with the MFA, instead of suddently being enforced with MFA after the upgrade. I am putting the KBs added for the MFA enforcement here -

Concise KB about MFA Enforcement - KB1700938

Detailed FAQ KB About MFA Enforcement - KB1709783

Now coming to your use case, I see you have already enabled the Enable Multifactor Authentication flag for the users even then also they aren't getting the MFA enforced, because they are still in the self-enrolmentperiod (buffer-time to self-enrol themselves) as explained above.

From your question, I get that you want to enforce MFA for the users having @abc.com like email while doing local login. IFF that's what you are looking for precisely, then you can directly go to 2nd point. Otherwise you can go through all the below points and see which one suits your requirement -

1: If you want the Non-SSO users to do the local login with MFA enforced immediately, then as mentioned in the previous answers, you need to set the OOB available self-enrolment property value to 0.

glide.authenticate.multifactor.self_enrolment_period = 0.

This will enforce the MFA for all the users if they are doing local login irrespective of their email domain.

Note - This will enforce the MFA immediately for all the users doing local login after upgrade including the once with @abc.com domain.

2: Another way (require some customisations) to achieve this is -

2.1) Update status column of the existing entries for the users which satisfy your above criteria (domain = @abc.com) in the above table (sys_user_mfa_enforcement_info) to Enforced through gliderecord bulk update.

2.2) Add a custom BR on the above table, and run the above script on insert/update operation so that as soon as a user entry is created in this table with status = tracking, this BR updates it with status = Enforced if they satisfy your email domain criteria.

3: If you want to enable the MFA for these users even when they are doing the SSO login, that's also available. You have to enable another property to enforce that - glide.authenticate.mfa.with.multisso.enabled.

Please let me know if you have any followup questions on this. Would be happy to assist further.

Thanks!!

View solution in original post

Dinesh90 · ‎07-09-2025

@Ambuj Tripathi : even for a new user entry in MFA table it’s not working

i have provided you the screenshots in above reply. It’s not updating the status for new user entry in MFA table

in your reply what type of BR you have created is it before or after and insert or update ?
should I use the script Instead of setting the status value via actions tab ?

Ambuj Tripathi · ‎07-09-2025

Yes, its an after type BR on insert (not update) operation. You can add the check for status != enforced also in filters. Setting via action didn't work, so added the script as shown above.

Dinesh90 · ‎07-10-2025

@Ambuj Tripathi : This is working, great thanks for your help.
can you please help on the below thread as well
https://www.servicenow.com/community/developer-forum/disable-local-login-i-e-login-do-for-non-admin-...

Dinesh90 · ‎07-10-2025

@Ambuj Tripathi :
I have an issue for one of our user, I have enabled MFA in his user profile, by enabling the checkbox "enable MFA authentication",
but when he is trying to login, no entry is getting created in the table - "User MFA enforcement info"
for other users it is working fine, one I enabled that checkbox in user record, entry in the MFA table is there.
what can be the issue ? why the entry is not getting created for that particular user in the table ? so that we can enforce MFA for him.

Ambuj Tripathi · ‎07-11-2025

That user isn't exempted via any means right? External users with sys_external role are already exempted. You can reach out to servicenow support for this. This will require further investigation.