As ServiceNow enforces Multi-Factor Authentication (MFA) from the Yokohama release onwards, there have been numerous queries about excluding specific users from MFA enforcement.
Firstly, we strongly advise against disabling the MFA that is enforced out-of-the-box at the instance level. If you have any specific queries, please raise them to be resolved, but disabling MFA should be the last resort.
Secondly, since MFA is being enforced for all users, we recommend not disabling MFA for privileged users. If in case, we need to disable the MFA, we should assign the context specific roles or scope specific roles if possible instead of the privileged roles like admin etc.
In this article, I will discuss how we can exclude specific users from MFA enforcement without actually disabling MFA.
The simplest method is to add the role for which we want to exempt MFA into the out-of-box (OOB) provided MFA Exempted Roles filter. Alternatively, if we want to do it at a group or user level, we can add a user into the OOB provided MFA Exempted Group. Let's delve into the details of how the condition looks:
As seen in the OOB MFA Context policy, there are two sets of conditions connected with an OR operation:
- Has User Exempted Role -- IS -- False
AND
- Is user part of MFA Exempted Group -- IS -- False
OR
- User Level MFA -- IS -- True (this is the enable Multi-Factor Auth flag in the sys_user table)
OR
- Role based MFA -- IS -- True (this is the role filter criteria which enables MFA for three roles as of Yokohama: admin, security_admin, and user_admin)
In this setup, if we analyze the condition, we find that even if we are exempting the users/roles, if any logging-in user has User level MFA enabled, or has a role which is part of the role-based MFA (like admin, security_admin, or user_admin), it creates a conflicting condition where:
a) We say to exempt the user via group or role through the first half of the condition.
b) Simultaneously, we enforce MFA for this specific user.
In such situations, we have made a conscious choice to ENFORCE MFA for users falling into this conflicting condition. In such cases, User Level MFA Enforcement or Role level MFA enforcement takes priority to ensure the default secure configuration prevails.
Now, revisiting the original question: What if we want to exclude MFA for any user with a role, say admin? In such cases, the idea is to disable both user-level MFA (as we want to disable MFA for this user) and Role-based MFA (since MFA is enforced via the blanket policy shipped OOB in Yokohama). Additionally, this user should be added to the Exempted users group.
Even upon disabling Role-based MFA, there should be no impact on other users' MFA behavior, as they should still continue to undergo MFA which is being enforced by the blanket Enforcement policy.
-> Another point to note is that as we are disabling Role level MFA, you should not exempt highly sensitive/privileged roles through the OOB Exempted Roles Filter. This will disable MFA for privileged users as well, which is not a desired outcome and is not recommended for maintaining secure configuration.
-> As admins excluding the users with privileged roles, its imparative that admin should revisit the configurations time to time to evaluate the need to exempt and make sure to remove the users from the exclusion if they are no longer needed to be excluded.
Cheers!
