Knogin
[Developers]

Tenant MFA Policy Management

Some organisations require phishing-resistant MFA for every user. Others rely on an external identity provider and need the platform to verify that the upstream sign-in included a fresh MFA assertion. Multi-tenant deploy

Back to All Modules
Category: ManagementLast Updated: Jun 25, 2026
managementcompliance

Overview#

Some organisations require phishing-resistant MFA for every user. Others rely on an external identity provider and need the platform to verify that the upstream sign-in included a fresh MFA assertion. Multi-tenant deployments also need a way to make limited exemptions without weakening platform-wide security controls.

The Tenant MFA Policy Management module lets authorised administrators configure organisation-level MFA requirements, including platform-enforced MFA, external identity-provider MFA, and controlled exemptions. Platform-level mandates remain dominant, while tenant policies determine the accepted proof, enforcement timing, and audit evidence for each organisation.

Key Features#

  • Organisation-Level Policy Selector: Tenant administrators can choose the MFA posture that matches their identity model and compliance obligations.

  • Platform Mandate Protection: Central security requirements cannot be weakened by tenant-level configuration, ensuring emergency or high-risk mandates still apply.

  • External IdP MFA Recognition: Federated sign-ins can satisfy tenant policy when the identity provider supplies acceptable MFA proof and freshness signals.

  • Controlled Exemptions: Approved exemptions are explicit, auditable, and bounded so temporary operational needs do not become hidden permanent gaps.

  • Role-Gated Administration: Only authorised organisation administrators can change tenant policy, and policy changes are recorded with actor, time, and rationale.

  • Freshness and Assurance Checks: MFA evidence can account for when authentication occurred and whether the upstream assurance level meets the organisation's requirement.

  • User-Facing Enforcement: Users are guided through the correct challenge path for their organisation rather than receiving generic access failures.

Use Cases#

  • Government tenant onboarding where one agency requires local platform MFA and another relies on a certified external identity provider.
  • Enterprise SSO enforcement where upstream identity assurance must be recognised without requiring duplicate challenges for every session.
  • Emergency security uplift where platform administrators temporarily require stronger MFA for all tenants after a threat event.
  • Break-glass administration where a tightly controlled exemption keeps operations running while preserving audit evidence.
  • Compliance reporting where organisations need proof of which MFA policy applied to a user session and why access was granted.

Integration#

The module works with identity federation, organisation administration, session risk checks, audit logging, and user access enforcement. It records policy changes and sign-in enforcement outcomes without publishing internal authentication implementation details.

Open Standards#

  • NIST SP 800-63B: Authentication assurance, authenticator strength, reauthentication, and session freshness concepts guide MFA enforcement.
  • SAML 2.0: Federated identity providers can communicate authentication context for organisations that use SAML-based single sign-on.
  • OpenID Connect 1.0: Federated sign-ins can provide authentication method and assurance information through standard identity claims.
  • OAuth 2.0 (RFC 6749): Authorisation flows rely on the widely adopted framework for delegated access and token issuance.
  • WebAuthn / FIDO2: Phishing-resistant authenticators can support stronger platform MFA policies where required.
  • TOTP (RFC 6238): Time-based one-time passwords remain available where organisations require broad authenticator compatibility.
  • JSON Web Token (RFC 7519): Signed identity assertions and session claims can carry policy and authentication context.
  • ISO 8601: Policy change, sign-in, challenge, and exemption timestamps use a consistent time format.

Security and Compliance#

Tenant policy can raise or specialise authentication requirements, but it cannot override stronger platform mandates. MFA policy changes, sign-in outcomes, exemptions, and failed assertions are audited so administrators can prove how authentication was enforced for each organisation.

Last Reviewed: 2026-06-25 Last Updated: 2026-06-25

Ready to Build?

Get started with our APIs or contact our integration team for support.