Force Users to Enable Multi-Factor Authentication for External Email Providers

Requested By:
Customer Direktoratet for Samfunnssikkerhet og Beredskap

Description:
As requested by Customer DSB, the system should enforce Multi-Factor Authentication (MFA) for users who authenticate using external email providers such as Microsoft, Gmail, or other supported identity providers.

This requirement is intended to enhance security and reduce the risk of unauthorized access caused by compromised passwords.

Objective:
Ensure that all users authenticate using two or more verification factors, improving account protection and aligning with modern security standards.

Proposed Behavior:

When a user logs in using an external provider (e.g., Microsoft, Google, or other supported identity providers), the system should verify whether MFA is enabled for the account.

If MFA is not enabled:

The user should be prompted to enable MFA before proceeding.

Access to the application should be restricted until MFA is activated.

The system should support common MFA methods, including:

Authenticator applications (e.g., Microsoft Authenticator, Google Authenticator)

Acceptance Criteria:

Users signing in with Microsoft, Google, or other supported providers must have MFA enabled.

If MFA is not enabled, the user is not allowed to access the system until MFA is configured.

The system displays clear guidance for enabling MFA.

MFA status is validated during authentication.

Administrators may optionally enforce this policy globally.

Benefits:

Improved protection against account compromise.

Reduced risk from phishing and password leaks.

Compliance with customer security requirements.

Stronger overall platform security.