Authentication policy commands: Deprecate MFA_AUTHENTICATION_METHODS property (Postponed)

Attention

This behavior change is in the 2025_04 bundle.

For the current status of the bundle, refer to Bundle History.

Attention

This behavior change has been temporarily removed from the 2025_04 bundle and cannot be enabled. It is scheduled to be added back to the 2025_04 bundle before the bundle is enabled by default.

Using the ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION option before it is enabled will result in an unsupported feature error. Please continue using the existing MFA_AUTHENTICATION_METHODS option, as described in Multi-factor authentication (MFA), until the new option is enabled.

The CREATE/ALTER/DESCRIBE AUTHENTICATION POLICY commands behave as follows:

Before the change:

  • Use the MFA_AUTHENTICATION_METHODS property to specify which authentication methods can be used.

  • By default, when no authentication policy is set, Snowflake enforces MFA on password and SSO logins.

After the change:

  • The MFA_AUTHENTICATION_METHODS property is deprecated. Setting the MFA_AUTHENTICATION_METHODS property returns an error.

  • By default, when no authentication policy is set, Snowflake only enforces MFA on password logins and not on SSO logins.

  • A new MFA_POLICY property is available with an ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION option, which accepts ALL or NONE as values.

    • NONE (Default): Snowflake doesn’t require MFA for external authentication.

    • ALL: Snowflake requires MFA for external authentication. Snowflake requires users that aren’t enrolled in MFA to enroll the next time they log in to Snowsight. For more information about MFA enrollment requirements in Snowsight, see BCR-1972.

  • Authentication policies with the MFA_AUTHENTICATION_METHODS specified return a deprecation message under the DESCRIPTION column in the output of a DESCRIBE AUTHENTICATION POLICY command.

  • Behavior impact of existing authentication policies:

    • If you set the MFA_AUTHENTICATION_METHODS property to [PASSWORD, SAML] for your authentication policy, then Snowflake sets the new ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION property to ALL.

    • If you set the MFA_AUTHENTICATION_METHODS property to [PASSWORD], then Snowflake sets the new ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION property to NONE.

If no value is specified for MFA_POLICY, then the behavior of the authentication policy falls back to the behavior of the original MFA_AUTHENTICATION_METHODS property.

See the following example of how to use the new MFA_POLICY property and its ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION option when creating an authentication policy:

CREATE AUTHENTICATION POLICY my_auth_policy
  MFA_POLICY = (ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION='ALL')
  ...
Copy

Ref: 1971

Language: English