Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Activating or deactivating an MFA policy

Written by
Updated at May 8, 2026

Activating an MFA policy

To activate an inactive MFA policy:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Security settings.
  3. Navigate to the MFA policies tab.
  4. In the MFA policy list, click in the policy row and select Activate.
  5. In the window that opens, confirm the operation.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for activating an MFA policy:

    yc organization-manager mfa-enforcement activate --help

  2. To activate an MFA policy, run this command:

    yc organization-manager mfa-enforcement activate \
  --id <policy_ID>

    Where --id is the ID of the MFA policy you need to activate.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and update the status parameter in the yandex_organizationmanager_mfa_enforcement resource:

    resource "yandex_organizationmanager_mfa_enforcement" "example_mfa_policy" {
  name            = "<policy_name>"
  organization_id = "<organization_ID>"
  acr_id          = "<authentication_factor_type>"
  ttl             = "<lifetime>"
  status          = "MFA_ENFORCEMENT_STATUS_ACTIVE"
  apply_at        = "<activation_time>"
  enroll_window   = "<creation_deadline>"
  description     = "<policy_description>"
}

    Where status is the policy status: MFA_ENFORCEMENT_STATUS_ACTIVE to activate the policy. This is an optional setting.

    For more information about the yandex_organizationmanager_mfa_enforcement properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will activate the MFA policy. You can check the MFA policy update using the Cloud Center UI or this CLI command:

    yc organization-manager mfa-enforcement get <policy_ID>

Use the Activate REST API method for the MfaEnforcement resource or the MfaEnforcementService/Activate gRPC API call.

As a result, the MFA policy will be activated and switch to the Active status, and users with accounts added to the policy's target groups will be required to use an additional authentication factor.

Deactivating an MFA policy

To temporarily deactivate an MFA policy:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Security settings.
  3. Navigate to the MFA policies tab.
  4. In the MFA policy list, click in the policy row and select Suspend.
  5. In the window that opens, confirm the operation.

  1. See the description of the CLI command for deactivating an MFA policy:

    yc organization-manager mfa-enforcement deactivate --help

  2. To deactivate an MFA policy, run this command:

    yc organization-manager mfa-enforcement deactivate \
  --id <policy_ID>

    Where --id is the ID of the MFA policy you need to deactivate.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and update the status parameter in the yandex_organizationmanager_mfa_enforcement resource:

    resource "yandex_organizationmanager_mfa_enforcement" "example_mfa_policy" {
  name            = "<policy_name>"
  organization_id = "<organization_ID>"
  acr_id          = "<authentication_factor_type>"
  ttl             = "<lifetime>"
  status          = "MFA_ENFORCEMENT_STATUS_INACTIVE"
  apply_at        = "<activation_time>"
  enroll_window   = "<creation_deadline>"
  description     = "<policy_description>"
}

    Where status is the policy status: MFA_ENFORCEMENT_STATUS_INACTIVE to deactivate the policy. This is an optional setting.

    For more information about the yandex_organizationmanager_mfa_enforcement properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will deactivate the MFA policy. You can check the MFA policy update using the Cloud Center UI or this CLI command:

    yc organization-manager mfa-enforcement get <policy_ID>

Use the Deactivate REST API method for the MfaEnforcement resource or the MfaEnforcementService/Deactivate gRPC API call.

As a result, the MFA policy will be deactivated and switch to the Inactive status, while users whose accounts belong to the policy's target groups will no longer be required to use an additional authentication factor.

If you need to temporarily exclude specific users or groups from the policy without deactivating it completely, use MFA policy exceptions.

See also

Previous
Updating an MFA policy
Next
Deleting an MFA policy