Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Identity Hub
    • Organization
    • Organization membership
    • User groups
    • User pools
    • Password policy
    • Authentication policies
    • Identity federations
    • Domains
    • Applications (SSO)
    • OS Login
    • MFA
    • Controlled organizations
    • Branding
    • My account portal
    • Audit logs and login logs
    • Sessions
    • Syncing with Active Directory
    • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
  • Audit Trails events
  • Release notes
  • Yandex Identity Hub Sync Agent release notes

In this article:

  • Policy scope
  • Users and user groups
  • Applications
  • Networks and IP addresses
  • Policy outcomes
  • Policy statuses
  1. Concepts
  2. Authentication policies

Authentication policies in Yandex Identity Hub

Written by
Yandex Cloud
Updated at July 8, 2026
View in Markdown
  • Policy scope
    • Users and user groups
    • Applications
    • Networks and IP addresses
  • Policy outcomes
  • Policy statuses

Note

This feature is at the Preview stage.

In Yandex Identity Hub, authentication policies are used for granular management of user and user group access to Yandex Identity Hub applications by denying or allowing authentication based on conditions specified in the policy scope.

Currently, you can manage authentication policies via the Cloud Center UI. To create, update, activate, deactivate, or delete authentication policies, users need the organization-manager.admin role or higher.

Policy scopePolicy scope

Authentication policies apply to user authentication events based on the following conditions:

  • Users and user groups.
  • Applications.
  • Networks and IP addresses.

Note

The conditions specified in the policy are applied with the AND logic when checking whether the user can authenticate.

Users and user groupsUsers and user groups

You can apply an authentication policy to all users within your Yandex Identity Hub or restrict it to specific users or user groups.

You can also explicitly exclude certain users or user groups from a policy. Note that you cannot add the same users or user groups to both inclusion and exclusion lists at the same time.

ApplicationsApplications

You can apply an authentication policy to all applications created in your Yandex Identity Hub or restrict it to specific applications.

You can also exclude certain applications from a policy.

Networks and IP addressesNetworks and IP addresses

You can apply an authentication policy to either all possible IP addresses or specific IPv4 and IPv6 ranges in CIDR notation.

You can also exclude certain address ranges from a policy. Note that you cannot add the same IP address ranges to both inclusion and exclusion lists at the same time.

Policy outcomesPolicy outcomes

Currently, you can use authentication policies to deny user authentication if the authentication event meets the policy conditions.

Policy statusesPolicy statuses

An authentication policy may be either Active or Inactive. An inactive policy does not apply to user authentication events.

Useful linksUseful links

  • Creating an authentication policy
  • Activating/deactivating an authentication policy
  • Editing an authentication policy
  • Deleting an authentication policy
  • Applications in Yandex Identity Hub

An organization is the highest resource in the Yandex Cloud resource model hierarchy that consolidates the resources of all other services. It is also used for user management as well as authentication and authorization management. For more information, see Organization.

You can group Yandex Identity Hub users to simplify access management in Yandex Cloud. For more information, see User groups.

Yandex Identity Hub SAML and OIDC applications allow Yandex Cloud users to authenticate in services of third-party service providers. For more information, see Applications in Yandex Identity Hub.

Yandex Cloud uses Yandex accounts as well as federated and local user accounts. For more information, see Accounts in Yandex Cloud.

The organization-manager.admin role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and users' access permissions to the organization and its resources. To learn more, see Access management in Yandex Identity Hub.

Was the article helpful?

Previous
Password policy
Next
Identity federations
© 2026 Direct Cursus Technology L.L.C.