Managing exceptions to MFA policies
Exceptions prevent an MFA policy from applying to individual users or user groups added to the policy's target group. For example, you can exclude robots or an admin group if the policy is assigned to the entire organization. If you later remove these users or groups from the list of exceptions, they will not need to reconfigure authentication.
Updating a list of exceptions
-
Log in to Yandex Identity Hub.
-
In the left-hand panel, select Security settings.
-
Navigate to the MFA policies tab and select the policy you need from the list. In the window that opens:
-
Navigate to the Exclusions tab.
-
To add a user or user group to the list of exceptions:
- Click Add exclusion.
- In the window that opens, select the required user or user group.
- Click Add.
-
To delete a user or group from the list of exceptions:
- In the list of users and groups, click and select Delete next to the user or user group.
- Confirm the deletion.
-
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
View a list of users or groups subject to the MFA policy:
yc organization-manager mfa-enforcement list-audience \ --id <policy_ID> -
View the description of the CLI command for updating a list of exceptions to an MFA policy:
yc organization-manager mfa-enforcement update-excluded-audience --help -
To add a user or user group to a list of MFA policy exceptions, run this command:
yc organization-manager mfa-enforcement update-excluded-audience \ --id <policy_ID> \ --audience-delta subject-id=<subject_ID>,action=<action>Where:
--audience-delta: Parameter to edit the list of users/groups in the policy:subject-id: User or group ID.action: Action,action-addto add,action-removeto delete.
You can specify multiple
--audience-deltaparameters to add or remove more than one object at a time.Result:
mfa_enforcement_id: bpfjv8qeq4ii******** effective_deltas: - action: ACTION_ADD subject_id: aje0j5mts02t********
Use the UpdateExcludedAudience REST API method for the MfaEnforcement resource or the MfaEnforcementService/UpdateExcludedAudience gRPC API call.
Viewing a list of exceptions
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Security settings.
- Navigate to the MFA policies tab and select the policy you need from the list.
- In the window that opens, navigate to the Exclusions tab and view the list of users and groups excluded from the policy.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
View a list of users or groups subject to the MFA policy:
yc organization-manager mfa-enforcement list-excluded-audience \ --id <policy_ID>Result:
+----------------------+---------------+ | ID | TYPE | +----------------------+---------------+ | aje0j5mts02t******** | federatedUser | +----------------------+---------------+
Use the ListExcludedAudience REST API method for the MfaEnforcement resource or the MfaEnforcementService/ListExcludedAudience gRPC API call.