> For the complete documentation index, see [llms.txt](https://docs.sprinto.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sprinto.com/monitors/authentication-and-access-monitors/enforce-org-level-and-root-level-mfa.md).

# Enforce Org-Level and Root-Level MFA

Privileged accounts, such as organisation owners and root users, are prime targets for unauthorised access. Sprinto monitors whether these critical accounts have Multi-Factor Authentication (MFA) enforced and alerts you if the protection is missing or misconfigured.

This guide explains how to set up and enforce MFA for organisation-wide and root-level accounts on key platforms to meet compliance requirements.

***

#### What is Checked <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-what-is-checked" id="pdf-page-oi3hhmcxy0jnxsamrtew-what-is-checked"></a>

Sprinto evaluates MFA enforcement at two levels:

* **Org-Level MFA** – Ensures all members of your organisation (for example, GitHub, Okta, Office365) are required to use MFA.
* **Root-Level MFA** – Ensures accounts with the highest privileges (e.g., AWS root user) are protected with MFA.

The monitor will show as **Failing** if:

* Root accounts are active but lack MFA
* Organisation-wide MFA enforcement is not configured
* The system is not integrated and no evidence is provided

***

#### Org-Level MFA Configuration <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-org-level-mfa-configuration" id="pdf-page-oi3hhmcxy0jnxsamrtew-org-level-mfa-configuration"></a>

**1. GitHub (Organisation-Level)**

1. Go to **GitHub.com > Your Organisation > Settings**
2. Select **Security > Authentication security**
3. Enable **Require two-factor authentication for everyone in your organisation**
4. Save changes

All members must have 2FA enabled before this policy can be enforced.

***

**2. Okta**

1. Go to **Security > Multifactor > Factor Enrollment**
2. Define which factors are required (e.g., Okta Verify, SMS, TOTP)
3. Navigate to **Security > Authentication Policies**
4. Apply MFA requirement at the group or application level
5. Save and apply the policy

***

**3. Office365 (Microsoft Entra ID)**

1. Log in to [Microsoft Entra](https://entra.microsoft.com/).
2. Navigate to **Azure Active Directory > Security > Conditional Access**
3. Create a new policy to:
   * Apply to **All users**
   * Grant access only if MFA is enabled
4. Save and enable the policy

***

**4. Google Workspace**

1. Open **Admin Console > Security > Authentication > 2-step verification**
2. Enable and enforce the setting: **Turn on enforcement for users**
3. Apply enforcement by **Organisational Unit** or group
4. Save configuration

***

#### Root-Level MFA Configuration <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-root-level-mfa-configuration" id="pdf-page-oi3hhmcxy0jnxsamrtew-root-level-mfa-configuration"></a>

**1. AWS Root User**

1. Log in to the AWS Console using the **root account**
2. Navigate to **My Security Credentials**
3. In the **Multi-Factor Authentication (MFA)** section, select **Activate MFA**
4. Choose **Virtual MFA device**, scan the QR code using an authenticator app
5. Enter the two OTPs generated to confirm setup

Sprinto will auto-detect the MFA status during the next sync.

***

#### Remediating the Monitor in Sprinto <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-remediating-the-monitor-in-sprinto" id="pdf-page-oi3hhmcxy0jnxsamrtew-remediating-the-monitor-in-sprinto"></a>

* For integrated platforms, Sprinto automatically re-checks the configuration.
* If the platform does not allow verification (e.g., conditional access), upload:
  * A screenshot of the enforced setting
  * Group policy document or enforcement confirmation
* Use **Mark as Resolved** after successful MFA enforcement

***

#### Best Practices <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-best-practices" id="pdf-page-oi3hhmcxy0jnxsamrtew-best-practices"></a>

* Enforce MFA for **all users** and make it mandatory at the organisation level
* Use **group-based policies** for scalability (e.g., Conditional Access)
* Regularly review the list of users who have bypassed MFA
* Monitor changes to enforcement policies via audit logs


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/monitors/authentication-and-access-monitors/enforce-org-level-and-root-level-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.