Skip to content

How do I enforce MFA across my organisation?

Who can do this

Owner or Admin

MFA enforcement applies to your internal users — people whose identity is owned by your customer. External users (signed in via SSO from another organisation) follow their home organisation's policy.

Steps

  1. Open Settings → Security.
  2. Find the MFA Policy section.
  3. Turn on Require MFA.
  4. (Optional) Pick the allowed second factors. By default both TOTP (authenticator app) and WebAuthn (passkey / hardware key) are allowed.
  5. (Optional) Set the MFA enrolment grace period — how long an existing user can keep signing in without enrolling. Default is no grace.

Result

  • New invitees are required to enrol an MFA method before they finish account setup.
  • Existing users without MFA are blocked at next sign-in (after the grace period, if any) and walked through enrolment.
  • The Users table shows an MFA column so you can audit who has enrolled.