Force MFA for One Specific Application

Multi-factor Authentication
Sep 10, 2025
Overview
This article describes how to enforce MFA for only one application within the tenant.
Applies To
  • Multifactor Authentication (MFA)
  • MFA for Applications
Solution
Follow the steps or video below.



NOTE: As the intention is to enforce an MFA challenge for a single application, it is first necessary to set 'require MFA' to Never in the tenant settings:
 
  1. Login to the Auth0 dashboard.
  2. Navigate to Security > Multi-factor Auth.
  3. In the Define Policies box, select the Never option.
MFA Policy Selection


An Action can be defined to enforce MFA for one or more applications. This code sample shows how this function might be implemented: 
exports.onExecutePostLogin = async (event, api) => {
	const CLIENTS_WITH_MFA = [
		'{yourClientId1}', 
		'{yourClientId2}',
		'{yourClientId3}'
	];

	if (CLIENTS_WITH_MFA.includes(event.client.client_id)) {
		api.multifactor.enable('guardian', { allowRememberBrowser: false })
	}
}

This example makes use of these Action properties:
  • the event.client properties of the Event Object
  • the api.multifactor.enable(provider, options) properties of the API Object

In this instance, 'guardian' has been chosen as the MFA provider, though the other possible options are:

  • any Use any of the configured challenges.
  • duo Use the Duo multifactor provider.
  • google-authenticator Use the Google Authenticator provider.
  • guardian Use the Guardian provider.

 

Related References

 

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community