Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Activating or deactivating an MFA policy

Written by
Updated at March 5, 2026

Activating an MFA policy

To activate an inactive MFA policy:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Security settings.
  3. Navigate to the MFA policies tab.
  4. In the MFA policy list, click in the policy row and select Activate.
  5. In the window that opens, confirm the operation.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for activating an MFA policy:

    yc organization-manager mfa-enforcement activate --help

  2. To activate an MFA policy, run this command:

    yc organization-manager mfa-enforcement activate \
  --id <policy_ID>

    Where --id is the ID of the MFA policy you need to activate.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and update the status parameter in the yandex_organizationmanager_mfa_enforcement resource:

    resource "yandex_organizationmanager_mfa_enforcement" "example_mfa_policy" {
  name            = "<policy_name>"
  organization_id = "<organization_ID>"
  acr_id          = "<authentication_factor_type>"
  ttl             = "<lifetime>"
  status          = "MFA_ENFORCEMENT_STATUS_ACTIVE"
  apply_at        = "<activation_time>"
  enroll_window   = "<creation_deadline>"
  description     = "<policy_description>"
}

    Where status is the policy status: MFA_ENFORCEMENT_STATUS_ACTIVE to activate the policy. This is an optional parameter.

    For more information about yandex_organizationmanager_mfa_enforcement properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will activate the MFA policy. You can check the MFA policy update using the Cloud Center UI or this CLI command:

    yc organization-manager mfa-enforcement get <policy_ID>

Use the Activate REST API method for the MfaEnforcement resource or the MfaEnforcementService/Activate gRPC API call.

As a result, the MFA policy will be activated and switch to the Active status, and users with accounts added to the policy's target groups will be required to use an additional authentication factor.

Deactivating an MFA policy

To temporarily deactivate an MFA policy:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Security settings.
  3. Navigate to the MFA policies tab.
  4. In the MFA policy list, click in the policy row and select Suspend.
  5. In the window that opens, confirm the operation.

  1. See the description of the CLI command for deactivating an MFA policy:

    yc organization-manager mfa-enforcement deactivate --help

  2. To deactivate an MFA policy, run this command:

    yc organization-manager mfa-enforcement deactivate \
  --id <policy_ID>

    Where --id is the ID of the MFA policy you need to deactivate.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and update the status parameter in the yandex_organizationmanager_mfa_enforcement resource:

    resource "yandex_organizationmanager_mfa_enforcement" "example_mfa_policy" {
  name            = "<policy_name>"
  organization_id = "<organization_ID>"
  acr_id          = "<authentication_factor_type>"
  ttl             = "<lifetime>"
  status          = "MFA_ENFORCEMENT_STATUS_INACTIVE"
  apply_at        = "<activation_time>"
  enroll_window   = "<creation_deadline>"
  description     = "<policy_description>"
}

    Where status is the policy status: MFA_ENFORCEMENT_STATUS_INACTIVE to deactivate the policy. This is an optional parameter.

    For more information about yandex_organizationmanager_mfa_enforcement properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will deactivate the MFA policy. You can check the MFA policy update using the Cloud Center UI or this CLI command:

    yc organization-manager mfa-enforcement get <policy_ID>

Use the Deactivate REST API method for the MfaEnforcement resource or the MfaEnforcementService/Deactivate gRPC API call.

As a result, the MFA policy will be deactivated and switch to the Inactive status, while users whose accounts belong to the policy's target groups will no longer be required to use an additional authentication factor.

See also

Previous
Updating an MFA policy
Next
Deleting an MFA policy