Default MFA Access for Identity Domains My Profile and My Apps Pages

MFA access to the My Profile and My Apps pages is enforced by default if certain criteria are met. You can disable this default enforcement.

MFA access to the My Profile and My Apps pages is enforced by default when all the following criteria are met:

• The Default Sign-On Policy is NOT configured for MFA
• The user is enrolled in at-least one MFA factor
• The user is trying to access the My Profile and My Apps pages

Example URL: <domain_URL>/ui/v1/myconsole

If a user is already enrolled in MFA and tries to access the My Profile and My Apps pages even if the Default Sign-On Policy is NOT configured for MFA, the user is prompted for MFA.

Note: This security posture doesn't enforce new MFA enrollment.

Disabling Default MFA Access

We don't recommend that you disable this default security feature. To disable this feature, update an SSO setting using the API. Use the following high-level steps as a guide.

1. Using cURL, GET idcs-xxx/admin/v1/SsoSettings/SsoSettings using the IDA-scoped token.
2. Backup your instance in case rollback is required.
3. Find the idcsConsoleMfaEnforcementEnabled attribute (in the payload from step 1). Set idcsConsoleMfaEnforcementEnabled=false and users aren't prompted for MFA unless the Default Sign-On Policy is configured for MFA.
4. Using cURL, PUT idcs-xxx/admin/v1/SsoSettings/SsoSettings to update the attribute using the payload from step 3 with the IDA-scoped token.