Multi-factor authentication: MFA_ENROLLMENT parameter values change (Preview)

Attention

This behavior change is in the 2025_06 bundle.

For the current status of the bundle, refer to Bundle History.

This behavior change modifies the possible values of the MFA_ENROLLMENT parameter of authentication policies. This parameter controls who must enroll in multi-factor authentication (MFA).

Before the change:

The MFA_ENROLLMENT parameter has two possible values: OPTIONAL and REQUIRED.

  • OPTIONAL — Users can, but are not required to, enroll in MFA.

  • REQUIRED — All users must enroll in MFA.

After the change:

The MFA_ENROLLMENT parameter has the following possible values:

  • REQUIRED — Human users who are using password or single-sign on (SSO) authentication must enroll in MFA.

  • REQUIRED_PASSWORD_ONLY — All human users who are using password authentication must enroll in MFA. Users using SSO authentication are not required to enroll.

  • REQUIRED_SNOWSIGHT_PASSWORD_ONLY — Human users who are using password authentication to sign in to Snowsight must enroll in MFA. Users who are using password authentication, but are not using Snowsight, aren’t required to enroll in MFA. Users who are using SSO authentication aren’t required to enroll.

If your existing authentication policy had MFA_ENROLLMENT = OPTIONAL, then the parameter is now set to MFA_ENROLLMENT = REQUIRED_SNOWSIGHT_PASSWORD_ONLY.

This change helps implement a milestone in the deprecation of single-factor password logins. It works in conjunction with another behavior change in this bundle: Multi-factor authentication: MFA_AUTHENTICATION_METHODS parameter deprecation (Preview).

For detailed information about how the changes in this bundle affect password and SSO authentication for your users based on your current authentication policy, see Upcoming Multi-Factor Authentication (MFA) enforcement for Snowsight logins with single-factor passwords (Knowledge Base article).

Ref: 2097