This article explains why users enrolled in a Multi-Factor Authentication (MFA) factor cannot use it for authentication after that factor is set to Disabled in the applicable Enrollment Policy.

• ​​​​​Multi-Factor Authentication (MFA)
• Enrollment Policies
• Factors

The Factor Enrollment Policy controls two distinct functions: it determines which factors users can enroll in and dictates which factors are available for those users to authenticate with. When a factor is set to Disabled, it becomes unavailable for authentication purposes for all users assigned to that policy, even if they were previously enrolled in and using the factor. The user's enrollment in the factor remains, but the ability to use it is removed.

To allow users to authenticate with the factor again, its status must be changed from Disabled within the Enrollment Policy rule.

1. From the Admin Console, navigate to Security > Authenticators.

2. Select the Enrollment tab.

3. Locate the policy that applies to the affected users and select its Edit button.

4. Find the specific rule that needs to be modified and select its Edit button.

5. In the Eligible Authenticators section, find the factor that is disabled.

6. Change its status from Disabled to either Optional or Required, depending on the security requirement.

7. Select the Update Policy button to save the changes.

Related References

• Authenticator enrollment policy