# Enforce Org-Level and Root-Level MFA

Privileged accounts, such as organisation owners and root users, are prime targets for unauthorised access. Sprinto monitors whether these critical accounts have Multi-Factor Authentication (MFA) enforced and alerts you if the protection is missing or misconfigured.

This guide explains how to set up and enforce MFA for organisation-wide and root-level accounts on key platforms to meet compliance requirements.

***

#### What is Checked <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-what-is-checked" id="pdf-page-oi3hhmcxy0jnxsamrtew-what-is-checked"></a>

Sprinto evaluates MFA enforcement at two levels:

* **Org-Level MFA** – Ensures all members of your organisation (for example, GitHub, Okta, Office365) are required to use MFA.
* **Root-Level MFA** – Ensures accounts with the highest privileges (e.g., AWS root user) are protected with MFA.

The monitor will show as **Failing** if:

* Root accounts are active but lack MFA
* Organisation-wide MFA enforcement is not configured
* The system is not integrated and no evidence is provided

***

#### Org-Level MFA Configuration <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-org-level-mfa-configuration" id="pdf-page-oi3hhmcxy0jnxsamrtew-org-level-mfa-configuration"></a>

**1. GitHub (Organisation-Level)**

1. Go to **GitHub.com > Your Organisation > Settings**
2. Select **Security > Authentication security**
3. Enable **Require two-factor authentication for everyone in your organisation**
4. Save changes

All members must have 2FA enabled before this policy can be enforced.

***

**2. Okta**

1. Go to **Security > Multifactor > Factor Enrollment**
2. Define which factors are required (e.g., Okta Verify, SMS, TOTP)
3. Navigate to **Security > Authentication Policies**
4. Apply MFA requirement at the group or application level
5. Save and apply the policy

***

**3. Office365 (Microsoft Entra ID)**

1. Log in to [Microsoft Entra](https://entra.microsoft.com/).
2. Navigate to **Azure Active Directory > Security > Conditional Access**
3. Create a new policy to:
   * Apply to **All users**
   * Grant access only if MFA is enabled
4. Save and enable the policy

***

**4. Google Workspace**

1. Open **Admin Console > Security > Authentication > 2-step verification**
2. Enable and enforce the setting: **Turn on enforcement for users**
3. Apply enforcement by **Organisational Unit** or group
4. Save configuration

***

#### Root-Level MFA Configuration <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-root-level-mfa-configuration" id="pdf-page-oi3hhmcxy0jnxsamrtew-root-level-mfa-configuration"></a>

**1. AWS Root User**

1. Log in to the AWS Console using the **root account**
2. Navigate to **My Security Credentials**
3. In the **Multi-Factor Authentication (MFA)** section, select **Activate MFA**
4. Choose **Virtual MFA device**, scan the QR code using an authenticator app
5. Enter the two OTPs generated to confirm setup

Sprinto will auto-detect the MFA status during the next sync.

***

#### Remediating the Monitor in Sprinto <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-remediating-the-monitor-in-sprinto" id="pdf-page-oi3hhmcxy0jnxsamrtew-remediating-the-monitor-in-sprinto"></a>

* For integrated platforms, Sprinto automatically re-checks the configuration.
* If the platform does not allow verification (e.g., conditional access), upload:
  * A screenshot of the enforced setting
  * Group policy document or enforcement confirmation
* Use **Mark as Resolved** after successful MFA enforcement

***

#### Best Practices <a href="#pdf-page-oi3hhmcxy0jnxsamrtew-best-practices" id="pdf-page-oi3hhmcxy0jnxsamrtew-best-practices"></a>

* Enforce MFA for **all users** and make it mandatory at the organisation level
* Use **group-based policies** for scalability (e.g., Conditional Access)
* Regularly review the list of users who have bypassed MFA
* Monitor changes to enforcement policies via audit logs