Use the Global Policy Setting to determine how users access a resource when no conditional access policies apply to them. You can see the Global Policy status from the Conditional Access Policies list:
Considerations:
- Conditional access policies override a Global Policy.
- For the User Portal, the Global Policy Setting defaults to Require MFA based on user setting.
- The Require Multi-factor Authentication on the User Portal option must be enabled individually in the User panel Details tab to require MFA for the User Portal.
- For SSO Applications, the Global Policy Setting defaults to Allow authentication.
- For JumpCloud LDAP, the Global Policy Setting defaults to Allow Authentication.
- If you want to create a Global Policy that denies access, we recommend that you create it after you’ve configured conditional access policies that allow access. If you first create a Global Policy that denies access and there are no conditional access policies that apply to users, the Global Policy applies to all of your users, and they can’t access the User Portal and their SSO applications.
To set up a Global Policy
- Log in to the Admin Portal.
- Go to SECURITY MANAGEMENT > Conditional Policies.
- Click the Settings icon in the top right.
- Expand Global Policy Settings.
- For a resource, decide what happens when users aren’t part of a conditional access policy:
- If you don’t want to require Multi-factor Authentication (MFA), select Allow authentication.
- If you want to require MFA, select Allow authentication & require MFA.
- If you want to deny access, select Deny access.
- For the User Portal only, if you want the Require MFA setting in the User panel Details tab to determine how a user accesses a resource, select Require MFA based on user setting. To find and configure this setting, see Requiring MFA Factor Types from User Details.
- When Require Multi-factor Authentication on the User Portal is selected on the User panel Details tab, users are required to authenticate with MFA when no conditional access policies apply to them.
- When Require Multi-factor Authentication on the User Portal isn’t selected on the User panel Details tab, users aren’t required to authenticate with MFA when no conditional access policies apply to them.
- Click save.
Global Policies will also appear in Policy Management on the Conditional Access Policies page.
Requiring MFA Factor Types from User Details
For a Global Policy, you have the option to select Require MFA based on user setting. This lets the Require Multi-factor Authentication on the User Portal setting on the User panel Details tab take effect when no conditional access policies apply to a user.
To configure the Require MFA setting from a User panel Details tab:
- Log in to the Admin Portal.
- Edit a user or create a new user in the Admin Portal. See Get Started: Users.
- In the User Security Settings and Permissions section, select Require Multi-factor Authentication for User Portal if you want users to authenticate with MFA when no policies apply to them.
- If you’re using TOTP MFA, you can enter in a number for the enrollment period, but enrollment periods will only apply if no other policy applies and if the Global Policy is set to Require based on user setting. Without the enrollment period, users who don’t have MFA set up are required to enroll in MFA the next time they log in to the User Portal.
- Click save user.