Authentication policy commands: Deprecate MFA_AUTHENTICATION_METHODS property (Preview)

Attention

This behavior change is in the 2025_04 bundle.

For the current status of the bundle, refer to Bundle History.

The CREATE/ALTER/DESCRIBE AUTHENTICATION POLICY commands behave as follows:

Before the change:

  • Use the MFA_AUTHENTICATION_METHODS property to specify which authentication methods can be used.

  • By default, when no authentication policy is set, MFA is enforced for password and SSO logins.

After the change:

  • The MFA_AUTHENTICATION_METHODS property is deprecated. Setting the MFA_AUTHENTICATION_METHODS property returns an error.

  • By default, when no authentication policy is set, MFA is enforced only for password logins and not enforced for SSO logins.

  • A new MFA_POLICY property is available with an ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION option, which accepts ALL or NONE as values.

  • Authentication policies with the MFA_AUTHENTICATION_METHODS specified return a deprecation message under the DESCRIPTION column in the output of a DESCRIBE AUTHENTICATION POLICY command.

If no value is specified for MFA_POLICY, then the behavior of the authentication policy falls back to the behavior of the original MFA_AUTHENTICATION_METHODS property.

The behavior of existing authentication policies does not change. Only the behavior of new authentication policies changes.

See the following example of how to use the new MFA_POLICY property and its ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION option when creating an authentication policy:

CREATE AUTHENTICATION POLICY my_auth_policy
  MFA_POLICY = (ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION='ALL')
  ...
Copy

Ref: 1971

Language: English