Appearance
How do I enforce MFA across my organisation?
Who can do this
Owner or Admin
MFA enforcement applies to your internal users — people whose identity is owned by your customer. External users (signed in via SSO from another organisation) follow their home organisation's policy.
Steps
- Open Settings → Security.
- Find the MFA Policy section.
- Turn on Require MFA.
- (Optional) Pick the allowed second factors. By default both TOTP (authenticator app) and WebAuthn (passkey / hardware key) are allowed.
- (Optional) Set the MFA enrolment grace period — how long an existing user can keep signing in without enrolling. Default is no grace.
Result
- New invitees are required to enrol an MFA method before they finish account setup.
- Existing users without MFA are blocked at next sign-in (after the grace period, if any) and walked through enrolment.
- The Users table shows an MFA column so you can audit who has enrolled.

