Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Updating an MFA policy

Written by
Updated at March 5, 2026

To update an MFA policy:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Security settings.

  3. Navigate to the MFA policies tab.

  4. In the MFA policy list, click in the policy row and select Edit. In the window that opens:

    1. In the Name field, enter a new name for the policy. Follow these naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    2. Optionally, enter a policy description in the Description field.

    3. If required, use Policy active to activate or deactivate the policy.

    4. In the Factor types field, select additional authentication factors required for users from the policy's target groups to verify their identity:

      • Any. This option allows users to select one of the following additional authentication factor standards:

        • WebAuthn (FIDO2). The acceptable additional authentication factors may include hardware keys such as Rutoken or YubiKey, Passkeys authenticators, platform authenticators such as Windows Hello, etc. Learn more about WebAuthn browser and OS compatibility.

          Warning

          Browser extensions with password input control may cause errors when entering additional factors. We recommend disabling such extensions in case of errors.

        • TOTP. This standard enables using one-time codes generated by dedicated authenticator apps as an additional authentication factor.

        • SMS. This standard enables using one-time codes sent via a text message to the specified mobile phone number as an additional authentication factor.

          Note

          SMS as an authentication factor is at the Preview stage and available only to customers with a billable limit of Identity Hub users. To get access, contact support or your account manager.

      • Any (except SMS). This option enforces the WebAuthn or TOTP authentication factors.

      • Phishing-resistant. This option enforces the WebAuthn authentication factors as the most secure ones.

    5. In the Creation deadline field, specify the period in days during which the user must add a second authentication factor after registration.

    6. In the Lifetime field, set the credential validity period, in days.

      Upon expiry of the specified timeout, the user will need to authenticate with the additional factor again.

    7. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. View the MFA policy list using this command:

    yc organization-manager mfa-enforcement list \
  --organization-id <organization_ID>

    Where organization_id is the organization ID.

  2. View the description of an MFA policy:

    yc organization-manager mfa-enforcement get \
  --id <policy_ID>

  3. View the description of the update MFA policy CLI command:

    yc organization-manager mfa-enforcement update --help

  4. To update an MFA policy, run this command:

    yc organization-manager mfa-enforcement update \
  --id <policy_ID> \
  --acr-id <authentication_factor_type> \
  --ttl <lifetime> \
  --status <policy_status> \
  --apply-at <time_of_applying_changes> \
  --enroll-window <registration_period> \
  --new-name <new_name> \
  --description <new_description> \
  --organization-id <organization_ID>

    Where:

    • --id: MFA policy ID.

    • --acr-id: Authentication factor type. The possible values are:

      • any-mfa: Authentication factors without security restrictions.

        Note

        SMS as an authentication factor is at the Preview stage and available only to customers with a billable limit of Identity Hub users. To get access, contact support or your account manager.

      • any-except-sms: Only FIDO2 or TOTP factors.

      • phr: Only phishing-resistant FIDO2 factors.

    • --ttl: Credential validity period in days.
    • --status: Policy status, active (status-active) or inactive (status-inactive).
    • --apply-at: Time after which the policy will become active.
    • --enroll-window: Period in days after registration during which the user must add a second authentication factor.
    • --new-name: New policy name.
    • --description: New description.
    • --organization-id: Organization ID.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and edit the yandex_organizationmanager_mfa_enforcement resource:

    resource "yandex_organizationmanager_mfa_enforcement" "example_mfa_policy" {
  name            = "<new_policy_name>"
  organization_id = "<organization_ID>"
  acr_id          = "<new_authentication_factor_type>"
  ttl             = "<new_lifetime>"
  status          = "<new_policy_status>"
  apply_at        = "<new_activation_time>"
  enroll_window   = "<new_creation_deadline>"
  description     = "<new_policy_description>"
}

    Where:

    • name: Policy name. This is a required parameter. The naming requirements are as follows:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • organization_id: Organization ID. This is a required parameter.

    • acr_id: Authentication factor type. This is a required parameter. The possible values are:

      • any-mfa: Authentication factors without security restrictions.
      • any-except-sms: Only FIDO2 or TOTP factors.
      • phr: Only phishing-resistant FIDO2 factors.

    • ttl: Credential validity period in time format, e.g., 336h0m0s for 14 days. This is a required parameter.

    • status: Policy status. This is an optional parameter; the possible values are:

      • MFA_ENFORCEMENT_STATUS_ACTIVE: Active.
      • MFA_ENFORCEMENT_STATUS_INACTIVE: Inactive.

    • apply_at: Time after which the policy will become active, in RFC3339 format, e.g., 2024-12-31T23:59:59Z. This is an optional parameter.

    • --enroll-window: Period of time after registration during which the user must add a second authentication factor. Uses time format, e.g., 720h0m0s for 30 days. This is a required parameter.

    • description: Policy description. This is an optional parameter.

    For more information about yandex_organizationmanager_mfa_enforcement properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will update the MFA policy. You can check the MFA policy updates using the Cloud Center UI or this CLI command:

    yc organization-manager mfa-enforcement get <policy_ID>

Use the Update REST API method for the MfaEnforcement resource or the MfaEnforcementService/Update gRPC API call.

Note

For an MFA policy to apply to specific user accounts, add the users in question or the groups they are members of to the policy's target groups.

See also

Previous
Applying an MFA policy to users
Next
Activating or deactivating an MFA policy