How to Enable MFA for a Subset of Users

ActionsUser ManagementMulti-factor Authentication
Sep 17, 2025
Overview

By default, once Multifactor Authentication (MFA) is enabled, it applies to all users in the tenant. This article details how MFA can be enabled for specific users.

 

Applies To
  • Multifactor Authentication (MFA)
Solution

First, ensure the tenant has the Require Multi-factor Auth set to None. Use Rules/Actions to conditionally enable MFA for specific users.

NOTE: Rules and Hooks will reach the end of life on November 18, 2024. 

Follow the steps or video below.



The MFA challenge can be set up based on the user attribute on their profile. Here are the steps:

  1. Set the user.user_metadata.use_mfa attribute in the respective user profile to true or false using the Auth0 Management API: Auth0 Management API v2 endpoint. NOTE: the use_mfa is an invented user metadata object property, in this case, with a boolean value.

  2. Enable MFA using a Rule or Actions for specific users.
 

There are two ways to update the user_metadata object. Using the Dashboard or the Management API.

Steps using the Dashboard:

  1. Go to the Dashboard.
  2. Click on User Management in the left menu.
  3. Click on Users.
  4. Select the user from the list and click it.
  5. Scroll down until the Metadata section is displayed.
  6. Add the desired property to the User Metadata object section.
  7. Click Save.
Captura de pantalla 07.06.2024 a 14.55.37 p. m..png


Steps using the Management API:

  1. Get a Management API token for job endpoint requests and set it on the Management API explorer.
  2. Navigate to the Update a User endpoint.
  3. Insert the user ID to be modified.
  4. Add the desired property to the request Body.
  5. Click Test Endpoint.
Captura de pantalla 07.06.2024 a 15.04.49 p. m..png

Enable MFA using Actions:

  1. Navigate to Actions > Flows.
  2. Click Login and create the Login flow. 
  3. An example flow has been provided below.
exports.onExecutePostLogin = async (event, api) => {

// uncomment the following if clause in case of wanting to request a second factor only from user's that have user_metadata.use_mfa === true

if (event.user.user_metadata && event.user.user_metadata.use_mfa){

api.multifactor.enable('any', {allowRememberBrowser: false});

}

};
 
Enable MFA using a Rule:

 

function (user, context, callback) {

// uncomment the following if clause in case of wanting to request a second factor only from user's that have user_metadata.use_mfa === true

if (user.user_metadata && user.user_metadata.use_mfa){

context.multifactor = {

provider: 'any',

allowRememberBrowser: false

};

}

callback(null, user, context);

}
 
 

Related References

 
 

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community