Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing exceptions to MFA policies

Written by
Updated at April 27, 2026

Exceptions prevent an MFA policy from applying to individual users or user groups added to the policy's target group. If you later remove these users or groups from the exceptions list, they will not need to reconfigure authentication.

Updating a list of exceptions

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. View a list of users or groups subject to the MFA policy:

    yc organization-manager mfa-enforcement list-audience \
  --id <policy_ID>

  2. View the description of the CLI command for updating a list of exceptions to an MFA policy:

    yc organization-manager mfa-enforcement update-excluded-audience --help

  3. To add a user or user group to a list of MFA policy exceptions, run this command:

    yc organization-manager mfa-enforcement update-excluded-audience \
  --id <policy_ID> \
  --audience-delta subject-id=<subject_ID>,action=<action>

    Where:

    • --audience-delta: Parameter to edit the list of users/groups in the policy:
      • subject-id: User or group ID.
      • action: Action, action-add to add, action-remove to delete.

    You can specify multiple --audience-delta parameters to add or remove more than one object at a time.

    Result:

    mfa_enforcement_id: bpfjv8qeq4ii********
effective_deltas:
  - action: ACTION_ADD
    subject_id: aje0j5mts02t********

Viewing a list of exceptions

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. View a list of users or groups subject to the MFA policy:

    yc organization-manager mfa-enforcement list-excluded-audience \
  --id <policy_ID>

    Result:

    +----------------------+---------------+
|          ID          |     TYPE      |
+----------------------+---------------+
| aje0j5mts02t******** | federatedUser |
+----------------------+---------------+

See also

Previous
Applying an MFA policy to users
Next
Updating an MFA policy