MFA enforcement exception

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA Enforcement Exception

    The MFA enforcement exception feature allows ServiceNow customers to relax multi-factor authentication (MFA) mandates for specific users, roles, groups, trusted networks, and locations. This capability is introduced in the Yokohama release, enabling greater flexibility in managing authentication requirements based on organizational needs.

    Show full answer Show less

    Key Features

    • MFA Exempted User Group: A new user group allows specific users to be exempt from MFA. To add users, navigate to MFA context and select the appropriate policy options.
    • MFA Exempted Roles: New filter criteria enable exemptions based on user roles. Adding roles to the MFA policy can ease authentication for certain job functions.
    • Trusted Networks: Create IP filter criteria to define trusted networks, allowing users on those networks to bypass MFA.
    • Location-Based Access: Utilize the Location Filter Criteria from the Zero Trust plugin to manage MFA based on user locations.
    • Remembered Browsers: Adjust properties to control how long MFA is skipped on recognized browsers, with a default setting of 8 hours, extendable up to 24 hours.

    Key Outcomes

    By implementing these features, ServiceNow customers can enhance user experience while maintaining security. Exemptions can be tailored to meet specific organizational roles or contexts, reducing friction during the login process. However, it is essential to manage shared accounts cautiously, as they pose security risks.

    FAQ related to MFA enforcement exception and why it’s important.

    1. How can the MFA mandate be relaxed for specific users?

      In the Yokohama release, a new user group, MFA Exempted User Group record is added. Based on the default condition, there’s an MFA policy added, any user who is a member of this group is enforced with MFA.

      MFA Exempted User Group

      To relax MFA for specific users, follow the procedure:

      • Navigate to MFA context. The Step-Up MFA Policy associated with the MFA context record should be “Enforce MFA for non-SSO logins.Policy
      • Under the Policy Input related list, select the Is a member of MFA exempted group filter criteria record.
      • Select MFA Exempted User Group.Policy Input
      • Add users to this group as a member to exempt them from MFA enforcement.Add users
      Note:
      If you have a different policy associated with the MFA context, you can add “Is a member of MFA exempted group” filter criteria to your policy and modify the policy conditions to exempt users of this group from MFA enforcement.
    2. How can the MFAs mandate be relaxed for certain roles?

      In the Yokohama release, an empty new role Has MFA exempted role filter criterion is added. There are conditions added to the MFA policy to exempt users who have the roles part of exempted role criteria from the MFA enforcement.

      MFA Relaxed

      To relax MFA for specific roles, follow the procedure:

      • Navigate to MFA context. The Step-Up MFA Policy associated with the MFA context record should be Enforce MFA for non-SSO logins.MFA exempted role
      • Under the Policy Input related list, select Has MFA exempted role filter criteria record.Policy Input
      • Add the roles that you want to add to the condition. You can add multiple roles using the OR operator.
      Note:
      If you have a different policy associated with the MFA context, you can add Has MFA exempted role filter criteria to your policy. Modify the policy conditions to exempt users with exempted roles from the MFA enforcement.
    3. How can the MFAs mandate be relaxed for certain groups?

      In the Yokohama release, a user group MFA Exempted User Group is added. Based on the default, condition added to the MFA policy, the user or group who is a member of this group isn’t enforced with MFA.

      Exempted Group

      To relax MFA for specific groups, follow the procedure:

      • Navigate to MFA context. The Step-Up MFA Policy associated with the MFA context record should be Enforce MFA for non-SSO logins.Policy Input
      • Under the Policy Input related list, select the Is a member of MFA exempted group filter criteria record.
      • Select MFA Exempted User Group.Group Filter Criteria
      • Add the groups that you want to exempt from the MFA enforcement to this group.Add Group
    4. How can the MFAs mandate be relaxed for trusted networks?
      • Navigate to Adaptive Authentication > Filter Criteria > IP Filter Criteria.
      • Create a criterion to specify a trusted network. You can specify a list of IP ranges or subnets as part of the trusted network.IP Filter Criteria
      • Navigate to Adaptive Authentication > Auth Policy Contexts > MFA context.
      • Open the policy associated with the context.Modilfy Policy
      • Select the edit to add the IP Filter Criteria that you created to the Policy inputs-related list.Policy selection
      • Modify the policy condition to confirm it evaluates to false when users are part of the trusted network.Modify the policy inputs
      Note:
      If you have a different policy associated with the MFA context, you can add the IP filter criteria created as part of Step 1 to your policy and modify the policy conditions to exempt MFA enforcement on the trusted network.
    5. How can the MFAs mandate be relaxed for trusted locations?

      You can use Location Filter Criteria which is available with the Zero Trust – Location Based Access (requires an additional subscription) plugin.

    6. How to control the frequent MFA enforcement?

      Use the Location Filter Criteria which is available with the Zero Trust – Location-Based Access (requires an additional subscription) plugin.

      On the MFA validation page, there's a check box to remember a browser. MFA isn’t enforced on the remembered browser:

      MFA do not challenge
      • The duration specified by this system property. glide.authenticate.multifactor.browser.fingerprint.validity. The default value of the property is 8 hours. This duration can be increased by up to 24 hours. Similarly using the glide.authenticate.multifactor.remember.browser.default system property the default value of the check box can be set to true.
      • Navigate to Multi-factor Authentication > Properties and adjust these four properties to control the remembered browser feature.Property changes
    7. How does MFA work for accounts shared by users?

      Single accounts shared by multiple users are a security risk. It isn’t recommended to share an account with multiple users.