Managing MFA for Your Organization

Managers can require Multi-Factor Authentication (MFA) for all users in their organization. When MFA is required, users without MFA enabled will be prompted to set it up, with an optional grace period to allow time for the transition.

Who Can Manage Organization MFA Settings

Only Managers (and Admins) can configure MFA requirements for an organization. Standard Users cannot change these settings. See the Understanding User Roles article for more details on what each role can do.

Requiring MFA for All Users

When you enable the MFA requirement for your organization:

• All users who do not yet have MFA enabled will receive a notification alerting them that MFA is now required.
• Users who already have MFA enabled (via either Email or Authenticator App) will not be affected.
• Users will not be able to disable MFA while the organization requirement is active.

Grace Period

When enabling the MFA requirement, you can set a grace period to give existing users time to set up MFA before enforcement begins. During the grace period:

• Existing users can still sign in normally without MFA, but they will see a notification encouraging them to set it up.
• Once the grace period expires, users without MFA will be required to set it up on their next sign-in before they can access any features.
• A reminder notification is sent one day before the grace period ends (if the grace period is at least two days).

What Happens When the Grace Period Expires

After the grace period ends, any user who has not yet set up MFA will be redirected to the MFA setup screen on their next sign-in. They must complete MFA setup before they can access any part of the application.

During the enforced MFA setup, the user can choose either Email or Authenticator App as their MFA method. Once MFA is configured, they will be taken to the page they were trying to access.

Viewing MFA Enrollment Status

Managers can view the MFA enrollment status for their organization, including:

• Total users in the organization.
• Users with MFA enabled - how many team members have already completed MFA setup.
• Whether MFA is currently required for the organization.
• The grace period end date, if one was set.

Removing the MFA Requirement

If you decide to make MFA optional again, you can disable the organization-level requirement. When MFA is no longer required:

• Users who have already set up MFA will keep it enabled. Their MFA is not automatically removed.
• Users will now have the option to disable MFA from their Profile page if they choose.
• Users who had not yet set up MFA will no longer be forced to do so on sign-in.

Best Practices for Rolling Out MFA

1. Communicate in advance. Let your team know that MFA will be required and explain why it matters for protecting business data.
2. Set a reasonable grace period. A grace period of 7 days gives users enough time to install an authenticator app and complete setup without disrupting their workflow.
3. Lead by example. Set up MFA on your own account first. This is required before enabling the organization requirement.
4. Recommend Authenticator App. While both methods are secure, Authenticator App is faster (no waiting for an email) and does not depend on email delivery reliability.
5. Remind users about backup codes. Users who choose Authenticator App should save their backup codes in a secure location in case they lose access to their device.
6. Monitor enrollment. Check the MFA enrollment status to see how many users have completed setup, and follow up with those who have not before the grace period ends.