Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Identity Hub
    • All guides
    • Subscribing a user to notifications
      • Adding an SSH key
      • Deleting an SSH key
      • Enabling refresh tokens
      • Enabling the two-factor authentication requirement for Yandex accounts
        • Creating an authentication policy
        • Activating/deactivating an authentication policy
        • Editing an authentication policy
        • Deleting an authentication policy
    • Syncing users and groups with Active Directory
    • Billing management in Yandex Identity Hub
  • Access management
  • Pricing policy
  • Terraform reference
  • Audit Trails events
  • Release notes
  • Yandex Identity Hub Sync Agent release notes
  1. Step-by-step guides
  2. Authentication
  3. Managing authentication policies
  4. Creating an authentication policy

Creating an authentication policy

Written by
Yandex Cloud
Updated at July 8, 2026
View in Markdown

Note

This feature is at the Preview stage.

In Yandex Identity Hub, authentication policies are used for granular management of user and user group access to Yandex Identity Hub applications by denying or allowing authentication based on the policy criteria.

You can group Yandex Identity Hub users to simplify access management in Yandex Cloud. For more information, see User groups.

Yandex Identity Hub SAML and OIDC applications allow Yandex Cloud users to authenticate in services of third-party service providers. For more information, see Applications in Yandex Identity Hub.

Yandex Cloud uses Yandex accounts as well as federated and local user accounts. For more information, see Accounts in Yandex Cloud.

Authentication policies can be managed by users with the organization-manager.admin role or higher.

The organization-manager.admin role enables managing organization settings, identity federations, user pools, SAML applications, OIDC applications, users and user groups, and users' access permissions to the organization and its resources. To learn more, see Access management in Yandex Identity Hub.

To create an authentication policy:

Cloud Center UI
  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Security settings and go to the Authentication policies tab.

  3. Click Create policy.

  4. In the Name field, enter a name for the policy.

  5. Optionally, provide the policy description in the Description field.

  6. Optionally, set labels for the policy in the Labels field.

  7. Make sure the Policy active option is enabled.

  8. Set the policy Conditions:

    Note

    The conditions specified in the policy are applied with the AND logic when checking whether the user can authenticate.

    1. Under Users and groups, specify users or groups your policy will apply to:

      1. In the Include field, select:

        • All users: Your newly created authentication policy will apply to all users of the organization.

        • Selected: Your policy will apply to selected users and/or user groups.

          Click Add to select users or user groups the policy will apply to. If required, use the search bar.

      2. Optionally, in the Exclude field, click Add to select users or user groups the policy will not apply to.

        Note

        You cannot specify the same users or user groups simultaneously in both inclusion and exclusion lists.

    2. Under Apps, specify the applications for which authentication will be managed by the policy you are creating:

      1. In the Include field, select:

        • All apps: To ensure the policy applies to authentication by users connecting from any applications of the organization.

        • Selected: To apply the policy only to authentication in selected applications.

          In the field that appears, select the applications you need. If required, use the search bar and enter the application name or ID.

      2. Optionally, under Exclude, select the applications for which the policy will not be applied to authentication.

        Note

        You cannot specify identical applications simultaneously in both inclusion and exclusion lists.

    3. Under Networks and IP addresses, specify the IP addresses for the policy to allow or deny user authentication from:

      1. In the Include field, select:

        • Any networks: For the policy to apply to user authentication events from any IP address.

        • Selected: For the policy to apply to user authentication events from IP addresses in specified ranges.

          In the field that appears, enter one or more IPv4 or IPv6 address ranges in CIDR notation.

      2. Optionally, in the Exclude field, specify the IP address ranges to exclude from the policy.

        Note

        You cannot specify the same IP address ranges in both inclusion and exclusion lists at the same time.

    4. Under Result, select an action to apply to the authentication event that matches the policy criteria.

      Currently, you can only use authentication policies to deny authentication.

    5. Click Create policy.

Useful linksUseful links

  • Applications in Yandex Identity Hub
  • Authentication policies in Yandex Identity Hub
  • Activating/deactivating an authentication policy
  • Editing an authentication policy
  • Deleting an authentication policy

The naming requirements are as follows:

  • It must be between 3 and 63 characters in length.
  • It can only contain lowercase Latin letters, numbers, and hyphens.
  • It must start with a letter and cannot end with a hyphen.

Labels are key:value pairs you can use to logically group your resources. For more information, see Service resource labels.

Was the article helpful?

Previous
Removing an MFA factor and resetting the verification date
Next
Activating/deactivating an authentication policy
© 2026 Direct Cursus Technology L.L.C.