Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Applying an MFA policy to users

Written by
Updated at November 29, 2025

Note

This feature is at the Preview stage.

For an MFA policy to apply to user accounts, you need to explicitly add the relevant users or the groups they are members of to the policy's target groups.

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Security settings.

  3. Navigate to the MFA policies tab and select the policy you need from the list. In the window that opens, do the following:

    1. Navigate to the Users and groups tab.

    2. To add a new user or group to the policy's target groups:

      1. Click Add users.
      2. In the window that opens, select the required user or user group.
      3. Click Add.

    3. To delete a user or group from the policy:

      1. In the list of users and groups, click and select Delete next to the user or user group.
      2. Confirm the deletion.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View a list of users or groups subject to the MFA policy:

    yc organization-manager mfa-enforcement list-audience \
  --id <policy_ID>

  2. See the description of the CLI command for changing the list of users or groups subject to the MFA policy:

    yc organization-manager mfa-enforcement update-audience --help

  3. To add users or groups to the MFA policy, or to remove them from it, run this command:

    yc organization-manager mfa-enforcement update-audience \
  --id <policy_ID> \
  --audience-delta subject-id=<subject_ID>,action=<action>

    Where:

    • --audience-delta: Parameter to edit the list of users/groups in the policy:
      • subject-id: User or group ID.
      • action: Action, action-add to add, action-remove to delete.

    You can specify multiple --audience-delta parameters to edit more than one object at the same time.

Note

You can add any type of user accounts to the MFA policy target groups, but the policy will only apply to federated and local user accounts.

If a group added to an MFA policy includes users with different account types, the policy will only apply to users with federated and local accounts.

See also

Previous
Creating an MFA policy
Next
Updating an MFA policy