Enforce Multi-factor Authentication for Organization Members
TypeScriptTo enforce Multi-factor Authentication (MFA) for organization members, you can use identity providers such as Okta or Auth0 via the Pulumi infrastructure as code. The following example will show how to enforce MFA using Okta with Pulumi in TypeScript.
Firstly, we need to define an MFA policy in Okta. This can be accomplished using the
okta.policy.Mfa
resource, which allows you to specify the rules and conditions under which MFA will be required.Here is how you would enforce MFA for an organization using Okta and Pulumi:
import * as pulumi from "@pulumi/pulumi"; import * as okta from "@pulumi/okta"; // Create a new MFA policy const mfaPolicy = new okta.policy.Mfa("mfaPolicy", { name: "MFARequiredPolicy", status: "ACTIVE", // Make sure the policy is active priority: 1, // Priority (lower number means higher priority) // Define the types of MFA available in this policy // For simplicity, we will only enforce Okta Verify here. // You can add other factors like SMS, Call, etc. oktaVerify: { enrolled: true, perDevice: false, }, // Define the policy rule to enforce MFA policyRule: { name: "Require MFA for all users", statuses: ["ACTIVE"], conditions: { // This specifies when the MFA should be prompted promptWhen: { session: { sessionLifetimeMinutes: 720, maxSessionIdleMinutes: 120, }, }, users: { include: ["EVERYONE"], }, }, actions: { // Challenging a factor means to prompt for MFA. // It could be applied in every sign-in attempt or only when certain conditions are met. mfa: { enrolled: "REQUIRED", // Always prompt MFA if the user has enrolled factors challenged: "OPTIONAL", }, }, }, }); // Export the MFA policy ID export const mfaPolicyId = mfaPolicy.id;
In the code above:
- We import the necessary Pulumi and Okta modules to manage resources in Okta.
- We create a new MFA policy called
mfaPolicy
making use ofokta.policy.Mfa
. - Within this resource:
name
gives a name to our policy.status
sets the policy status to "ACTIVE" which is required for the policy to be enforced.priority
sets the importance of this policy over others (lower value means higher importance).oktaVerify
is a section to indicate we will use Okta Verify for MFA. Other methods can be added here as well.policyRule
is where we define how and when MFA should be applied to users. We create a single ruleRequire MFA for all users
that applies to all active users and requires MFA at least every 720 minutes of session, or after 120 minutes of inactivity.actions
define that MFA is required (enrolled) and the challenge is optional.
With the MFA policy created and active, all users that are part of the Okta policy will now be required to enroll in and use Multi-factor Authentication based on the policy rules you've defined.
You need to configure your Pulumi to work with the Okta provider, which includes setting up Okta API tokens and providing them to Pulumi. Don't forget to consult the Okta provider documentation for additional details on configuration and policy management.
By setting up the policy as described, you enforce stronger security measures for your organization members' access and authentication, adding an additional layer of protection against unauthorized access.