Authentication policy commands: Deprecate MFA_AUTHENTICATION_METHODS property (Pending)

Attention

This behavior change is in the 2025_04 bundle.

For the current status of the bundle, refer to Bundle History.

The CREATE/ALTER/DESCRIBE AUTHENTICATION POLICY commands behave as follows:

Before the change:
  • Use the MFA_AUTHENTICATION_METHODS property to specify which authentication methods can be used.

  • By default, when no authentication policy is set, Snowflake enforces MFA on password and SSO logins.

After the change:
  • The MFA_AUTHENTICATION_METHODS property is deprecated. Setting the MFA_AUTHENTICATION_METHODS property returns an error.

  • By default, when no authentication policy is set, Snowflake only enforces MFA on password logins and not on SSO logins.

  • A new MFA_POLICY property is available with an ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION option, which accepts ALL or NONE as values.

    • NONE (Default): Snowflake doesn’t require MFA for external authentication.

    • ALL: Snowflake requires MFA for external authentication. Snowflake requires users that aren’t enrolled in MFA to enroll the next time they log in to Snowsight. For more information about MFA enrollment requirements in Snowsight, see BCR-1972.

  • Authentication policies with the MFA_AUTHENTICATION_METHODS specified return a deprecation message under the DESCRIPTION column in the output of a DESCRIBE AUTHENTICATION POLICY command.

  • Behavior impact of existing authentication policies:

    • If you set the MFA_AUTHENTICATION_METHODS property to [PASSWORD, SAML] for your authentication policy, then Snowflake sets the new ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION property to ALL.

    • If you set the MFA_AUTHENTICATION_METHODS property to [PASSWORD], then Snowflake sets the new ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION property to NONE.

If no value is specified for MFA_POLICY, then the behavior of the authentication policy falls back to the behavior of the original MFA_AUTHENTICATION_METHODS property.

See the following example of how to use the new MFA_POLICY property and its ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION option when creating an authentication policy:

CREATE AUTHENTICATION POLICY my_auth_policy
  MFA_POLICY = (ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION='ALL')
  ...
Copy

Ref: 1971