MFA exempted user still seeing blue banner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5 hours ago
Hi,
I've added a non-SSO user account to the MFA exempted user group, following this guidance: https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/conc...
However, after about 45 minutes the user still sees the MFA blue banner. The banner persists despite logging out and back in, and after manually refreshing the system's cache.
The policy conditions in the MFA context for my instance is what was set by ServiceNow by default, so exactly matches what is shown in the guidance.
Is there anything else I might need to do to stop the banner from appearing? Does it simply just take some time after adding an account to the exemption group for the banner to stop appearing.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5 hours ago
Hi @ChrisF7,
While adding a user to the MFA exemption group is the correct procedure, the banner's persistence typically points to a session or server-side cache issue rather than a simple propagation delay, as the change should be nearly immediate. To resolve this, ensure the user's session is completely terminated by having them log out, then as an administrator, navigate to "User Administration > Logged in users" find their session, and manually end it.
Following this with a system cache flush by typing cache.do in the filter navigator will clear any outdated cached information. These actions force a fresh authentication and re-evaluation of the user's group memberships against the MFA policy, which should remove the banner.
Hope this helps!
Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it as the accepted solution and helpful so others can benefit as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
Hi @M Iftikhar,
I've attempted this but once the user is logged out, they no longer appear in "User Administration > Logged in users", so as an admin I can't then manually end their session, which to me makes sense given they're no longer logged in.
I've completed the system cache flush a couple of times but the banner still appears when the user next logs in.
Thanks,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
17m ago - last edited 14m ago
Hi @ChrisF7
I assume you have already gone through the below KB articles and have an understanding of the self-enrolment period and max-relaxation period. If not, would recommend to go through the KB article to understand in more details.
Concise KB about MFA Enforcement - KB1700938
Detailed FAQ KB About MFA Enforcement - KB1709783
If you want to exclude user from the undergoing MFA, then you may need to additionally fine tune a few additional settings if you have user level MFA and role filter criteria enabled.
I have collated and put this in detail here - https://www.servicenow.com/community/platform-privacy-security/excluding-any-specific-user-users-fro...
The user is still seeing the banner message and not being enforced with MFA means, its still in the set-enrolment period, which means, if you add the user into the exempted users group, then you will again need to clear the cache to remove the cached entry for the user.
Cheers!
