MFA enforcement exception

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MFA Enforcement Exception

    This guidance explains how ServiceNow customers can selectively relax Multi-Factor Authentication (MFA) enforcement to balance security with operational flexibility. The functionality introduced in the Yokohama release enables exemptions from MFA based on user groups, roles, trusted networks, and locations. Additionally, controls exist to reduce the frequency of MFA prompts on recognized browsers.

    Show full answer Show less

    Relaxing MFA Enforcement for Specific Users, Roles, and Groups

    • User-based Exemptions: Add users to the MFA Exempted User Group to exclude them from MFA enforcement. This group is referenced by the default MFA policy under the Is a member of MFA exempted group filter criterion.
    • Role-based Exemptions: Use the Has MFA exempted role filter criterion by adding roles that should bypass MFA. Multiple roles can be combined with an OR operator within the policy inputs.
    • Group-based Exemptions: Similar to user exemptions, add entire groups to the MFA Exempted User Group to exempt all members from MFA.

    Note: If you use a custom MFA policy, you can incorporate these filter criteria and adjust the policy conditions accordingly to implement exemptions.

    Relaxing MFA for Trusted Networks and Locations

    • Trusted Networks: Define trusted IP ranges or subnets using IP Filter Criteria under Adaptive Authentication. Attach this criterion to the MFA policy and update conditions to disable MFA enforcement for users within these networks.
    • Trusted Locations: Use Location Filter Criteria provided by the Zero Trust – Location Based Access plugin (requires additional subscription) to exempt users based on geographic or logical locations.

    Controlling MFA Frequency and Browser Recognition

    • Enable the "Remember Browser" feature on the MFA validation page to reduce repeated MFA prompts on recognized browsers.
    • The remembered browser duration is controlled by the glide.authenticate.multifactor.browser.fingerprint.validity system property, defaulting to 8 hours and adjustable up to 24 hours.
    • The default state of the "Remember Browser" checkbox can be set via glide.authenticate.multifactor.remember.browser.default.
    • These properties are configurable under Multi-factor Authentication > Properties to tailor MFA enforcement frequency to organizational needs.

    Important Security Consideration

    Sharing single accounts among multiple users is discouraged due to inherent security risks and complications with MFA enforcement.

    FAQ related to MFA enforcement exception and why it’s important.

    1. How can the MFA mandate be relaxed for specific users?

      In the Yokohama release, a new user group, MFA Exempted User Group record is added. Based on the default condition, there’s an MFA policy added, any user who is a member of this group is enforced with MFA.

      MFA Exempted User Group

      To relax MFA for specific users, follow the procedure:

      • Navigate to MFA context. The Step-Up MFA Policy associated with the MFA context record should be “Enforce MFA for non-SSO logins.Policy
      • Under the Policy Input related list, select the Is a member of MFA exempted group filter criteria record.
      • Select MFA Exempted User Group.Policy Input
      • Add users to this group as a member to exempt them from MFA enforcement.Add users
      Note:
      If you have a different policy associated with the MFA context, you can add “Is a member of MFA exempted group” filter criteria to your policy and modify the policy conditions to exempt users of this group from MFA enforcement.
    2. How can the MFAs mandate be relaxed for certain roles?

      In the Yokohama release, an empty new role Has MFA exempted role filter criterion is added. There are conditions added to the MFA policy to exempt users who have the roles part of exempted role criteria from the MFA enforcement.

      MFA Relaxed

      To relax MFA for specific roles, follow the procedure:

      • Navigate to MFA context. The Step-Up MFA Policy associated with the MFA context record should be Enforce MFA for non-SSO logins.MFA exempted role
      • Under the Policy Input related list, select Has MFA exempted role filter criteria record.Policy Input
      • Add the roles that you want to add to the condition. You can add multiple roles using the OR operator.
      Note:
      If you have a different policy associated with the MFA context, you can add Has MFA exempted role filter criteria to your policy. Modify the policy conditions to exempt users with exempted roles from the MFA enforcement.
    3. How can the MFAs mandate be relaxed for certain groups?

      In the Yokohama release, a user group MFA Exempted User Group is added. Based on the default, condition added to the MFA policy, the user or group who is a member of this group isn’t enforced with MFA.

      Exempted Group

      To relax MFA for specific groups, follow the procedure:

      • Navigate to MFA context. The Step-Up MFA Policy associated with the MFA context record should be Enforce MFA for non-SSO logins.Policy Input
      • Under the Policy Input related list, select the Is a member of MFA exempted group filter criteria record.
      • Select MFA Exempted User Group.Group Filter Criteria
      • Add the groups that you want to exempt from the MFA enforcement to this group.Add Group
    4. How can the MFAs mandate be relaxed for trusted networks?
      • Navigate to Adaptive Authentication > Filter Criteria > IP Filter Criteria.
      • Create a criterion to specify a trusted network. You can specify a list of IP ranges or subnets as part of the trusted network.IP Filter Criteria
      • Navigate to Adaptive Authentication > Auth Policy Contexts > MFA context.
      • Open the policy associated with the context.Modilfy Policy
      • Select the edit to add the IP Filter Criteria that you created to the Policy inputs-related list.Policy selection
      • Modify the policy condition to confirm it evaluates to false when users are part of the trusted network.Modify the policy inputs
      Note:
      If you have a different policy associated with the MFA context, you can add the IP filter criteria created as part of Step 1 to your policy and modify the policy conditions to exempt MFA enforcement on the trusted network.
    5. How can the MFAs mandate be relaxed for trusted locations?

      You can use Location Filter Criteria which is available with the Zero Trust – Location Based Access (requires an additional subscription) plugin.

    6. How to control the frequent MFA enforcement?

      Use the Location Filter Criteria which is available with the Zero Trust – Location-Based Access (requires an additional subscription) plugin.

      On the MFA validation page, there's a check box to remember a browser. MFA isn’t enforced on the remembered browser:

      MFA do not challenge
      • The duration specified by this system property. glide.authenticate.multifactor.browser.fingerprint.validity. The default value of the property is 8 hours. This duration can be increased by up to 24 hours. Similarly using the glide.authenticate.multifactor.remember.browser.default system property the default value of the check box can be set to true.
      • Navigate to Multi-factor Authentication > Properties and adjust these four properties to control the remembered browser feature.Property changes
    7. How does MFA work for accounts shared by users?

      Single accounts shared by multiple users are a security risk. It isn’t recommended to share an account with multiple users.