Sprinto Dashboard

Enforce Org-Level and Root-Level MFA

Learn how to enforce MFA for organisation-level and root-level accounts across GitHub, AWS, Okta, Google Workspace, and Office365 to meet Sprinto monitor requirements.

Privileged accounts, such as organisation owners and root users, are prime targets for unauthorised access. Sprinto monitors whether these critical accounts have Multi-Factor Authentication (MFA) enforced and alerts you if the protection is missing or misconfigured.

This guide explains how to set up and enforce MFA for organisation-wide and root-level accounts on key platforms to meet compliance requirements.

What is Checked

Sprinto evaluates MFA enforcement at two levels:

  • Org-Level MFA – Ensures all members of your organisation (e.g., GitHub, Okta, Office365) are required to use MFA.

  • Root-Level MFA – Ensures accounts with the highest privileges (e.g., AWS root user) are protected with MFA.

The monitor will show as Failing if:

  • Root accounts are active but lack MFA

  • Organisation-wide MFA enforcement is not configured

  • The system is not integrated and no evidence is provided

Org-Level MFA Configuration

1. GitHub (Organisation-Level)

  1. Go to GitHub.com > Your Organisation > Settings

  2. Select Security > Authentication security

  3. Enable Require two-factor authentication for everyone in your organisation

  4. Save changes

All members must have 2FA enabled before this policy can be enforced.

2. Okta

  1. Go to Security > Multifactor > Factor Enrollment

  2. Define which factors are required (e.g., Okta Verify, SMS, TOTP)

  3. Navigate to Security > Authentication Policies

  4. Apply MFA requirement at the group or application level

  5. Save and apply the policy

3. Office365 (Microsoft Entra ID)

  1. Log in to Microsoft Entra.

  2. Navigate to Azure Active Directory > Security > Conditional Access

  3. Create a new policy to:

    • Apply to All users

    • Grant access only if MFA is enabled

  4. Save and enable the policy

4. Google Workspace

  1. Open Admin Console > Security > Authentication > 2-step verification

  2. Enable and enforce the setting: Turn on enforcement for users

  3. Apply enforcement by Organisational Unit or group

  4. Save configuration

Root-Level MFA Configuration

1. AWS Root User

  1. Log in to the AWS Console using the root account

  2. Navigate to My Security Credentials

  3. In the Multi-Factor Authentication (MFA) section, select Activate MFA

  4. Choose Virtual MFA device, scan the QR code using an authenticator app

  5. Enter the two OTPs generated to confirm setup

Sprinto will auto-detect the MFA status during the next sync.

Remediating the Monitor in Sprinto

  • For integrated platforms, Sprinto automatically re-checks the configuration.

  • If the platform does not allow verification (e.g., conditional access), upload:

    • A screenshot of the enforced setting

    • Group policy document or enforcement confirmation

  • Use Mark as Resolved after successful MFA enforcement

Best Practices

  • Enforce MFA for all users and make it mandatory at the organisation level

  • Use group-based policies for scalability (e.g., Conditional Access)

  • Regularly review the list of users who have bypassed MFA

  • Monitor changes to enforcement policies via audit logs

PreviousConfigure Login Protection & Auto LockoutNextDisable Inactive User Credentials

Last updated