Require MFA for Users

After you’ve configured an MFA factor type, you need to require MFA on your users. If you don’t, your users can log in to their resources with just their username and password. 

Requiring MFA for Users

You can require MFA in the Admin Portal the following ways:

• From Individual User Accounts
• From the More Actions Menu
• On User Groups with a Conditional Access Policy

From Individual User Accounts

To require MFA factors for the User Portal on an individual user account:

1. Edit a user or create a new user in the Admin Portal. See Get Started: Users.
2. In the User Security Settings and Permissions section, select Require Multi-factor Authentication for User Portal option. Note: The enrollment period only affects TOTP MFA.
3. Click save user.

From the More Actions Menu

To require MFA factors for the User Portal on existing users from the more actions menu:

1. Select any users you want to require MFA for.
2. Click more actions, then select Require MFA on User Portal.
3. Specify the number of days the user has to enroll in MFA before they are required to have MFA at login. You can specify a number of days between 1 and 365. The default value is 7 days.
4. Click require to add this requirement to the selected users.

With a Conditional Access Policy

To require MFA factors with a Conditional Access Policy: 

1. Log in to the JumpCloud Admin Portal.
2. Go to SECURITY MANAGEMENT > Conditional Policies.
3. Click (+). 
4. Enter a unique Policy Name.
5. Optionally, enter a description for the policy.
6. If you don’t want the policy to take effect right away, toggle the Policy Status to OFF and finish the rest of the configuration. When you’re ready for the policy to apply, you can toggle the Policy Status to ON. 
7. For Users, choose one of the following options:
   • Select All Users if you want the policy to apply to all users. 
   • Select Selected User Groups if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Get Started: User Groups. 
   • If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups.
8. Optionally, set the conditions a user needs to meet. Note: Conditions is a premium feature available in the Platform Prime plan. Learn more about conditions in Get Started: Conditional Access Policies. 
9. In Action, select Allow authentication into selected resources, then select the Require MFA option. 
10. Click create policy. 

Understanding User MFA Enrollment Options

There are two types of MFA enrollment for users:

1. Forced MFA Enrollment
2. Soft TOTP MFA Enrollment

About Forced MFA Enrollment

If you require MFA for your users with a Conditional Access Policy, users are forced to enroll in MFA the next time they log in. To require MFA for your users with a Conditional Access Policy, see Requiring MFA with a Conditional Access Policy above. 

About Soft TOTP MFA Enrollment

Soft TOTP MFA enrollment applies to TOTP MFA only. If there's more than one MFA solution enabled, a user can select to enroll with an MFA solution that isn't TOTP. After they finish setting up the non-TOTP MFA solution, they need to go back and enroll in TOTP MFA. If a user doesn't enroll in TOTP MFA during the enrollment period, they are locked out of resources that are protected by TOTP MFA and you need to reset TOTP MFA for the user. 

Starting TOTP MFA Enrollment for Your Users

You can start a soft TOTP MFA enrollment period from an individual user account or with the More Actions menu.

To begin a soft TOTP MFA enrollment period from an individual account: 

1. Log in to the JumpCloud Admin Portal.
2. Go to USER MANAGEMENT > Users.
3. Select an existing user or create a new one. To learn how to create a new user, see Get Started: Users. 
4. Select the Details tab, then expand User Security Settings and Permissions.
5. For Multi-Factor Authentication Settings, select Require Multi-factor Authentication on the User Portal, then enter the number of days the user has to enroll in MFA. 
6. Click save user. 

To begin a soft TOTP MFA enrollment period from the more actions menu: 

1. Log in to the JumpCloud Admin Portal.
2. Go to USER MANAGEMENT > Users.
3. Select the users you want to be in the enrollment period.
4. In the top right, click more actions, then select Require User MFA. 
5. From the Require MFA on User Portal modal, enter the number of days users have to enroll in MFA. 
6. Click require. 

When you begin an enrollment period, users receive an email notification. The email lets them know how long their enrollment period is and gives them a link to set up TOTP MFA. 

Resetting TOTP MFA Enrollment for a User

If a user doesn’t set up TOTP MFA and the enrollment period expires, the user is locked out of their account, and you need to reset their enrollment period. 

To reset a user’s TOTP MFA enrollment period:

1. Log in to the JumpCloud Admin Portal.
2. Go to USER MANAGEMENT > Users.
3. Select the user from the Users list. 
4. On the left side of the User Panel, select TOTP MFA expired, then click reset TOTP MFA. 
5. Click save user. 

Viewing Users’ TOTP MFA Status

You can view users’ TOTP MFA status to monitor who’s set up MFA, still in the enrollment period, and has had the enrollment period expired. 

To view a users TOTP MFA status:

1. Log in to the JumpCloud Admin Portal.
2. Go to USER MANAGEMENT > Users.

The Users list MFA column, which defaults to TOTP, shows you a user's TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:

• A user has enrolled sucessfully in TOTP MFA .
• A user has not completed TOTP enrollment.
• A user is in a TOTP MFA enrollment period (dates included). 
• A user’s TOTP MFA enrollment period has expired (expiration date included). 
• A user is in Pre-Enrollment, meaning their enrollment period will begin when their user state changes to active.

You can also view a user's MFA status in their user details.

You can filter the Users list to show MFA status and requirement. See Get Started: Users.  

To see users in an enrollment period, filter by both the required and inactive MFA status filters. Likewise, to see users with an expired enrollment period, also apply both the required and inactive MFA status filters.

Learn more in Resetting MFA Enrollment for a User above. 

Looking at the User Workflow  

When you begin an enrollment process, the following is what the user experience is like for a user who hasn’t set up MFA:

1. The user logs in to the User Portal.
2. The user sees a Set Up Multi-Factor Authentication modal. If it’s a forced enrollment, the user won’t be able to skip it. If it includes a soft TOTP MFA enrollment, the user can skip it.
   1. If you enabled TOTP MFA as the single MFA solution, the user has to set up TOTP MFA.
   2. If you enabled TOTP MFA and WebAuthn, the user can choose which MFA solution to set up first. By default, TOTP MFA is selected. Note: If the users sets up WebAuthn first, they need to go back and set up TOTP MFA.    
   3. If you set up Duo MFA and WebAuthn, the user has to set up WebAuthn.
3. After an MFA solution has been selected, the user clicks continue and sets up MFA. For more information see:
   1. User Workflow with MFA
   2. Use a Security Key or Device Authenticator with User Accounts