Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

admin.atlassian.com MFA enforcement missing

Antti Salo (Ambientia)
Antti Salo (Ambientia)
Contributor
January 19, 2025

 

Hi!

I've been trying to find a way how to enforce MFA for external admins in admin.atlassian.com but it seems this can't be done. I asked about this from Atlassian Support, and apparently external user mfa (the email verification) applies only when accessing products (Jira, Confluence).

So, when an organization has external admins who need to use admin.atlassian.com, we have a potential security issue, as there seems to be no technical way to verify or to enforce them to use MFA when accessing admin.atlassian.com.

Does anyone have a solution for this? Am I missing something?

BR,
Antti Salo, Solutions Expert @ Ambientia Group Oy, Atlassian Platinum Partner
Comment
Watch
Like # people like this
425 views

4 comments

Comment

Log in or Sign up to comment
Steven Haworth
Steven Haworth
Contributor
January 20, 2025

I don't have any answers, but I'd like the same functionality available.

Like # people like this
Reply
David Cowley
David Cowley
Contributor
January 20, 2025

I likewise have no answers, if those external admins are part of another organization and that organization is managing their domain, that organization can use an identity provider and that identity provider could require MFA/2FA, but as an external organization and a domain that you don't claim/manage there's no ability to view or change the authentication policy that they impose and whether it includes the MFA/2FA.

So it's possible that these external admins are authenticating using MFA, but it's not something you can control. There's much room for improvement when dealing with accounts for domains you don't (or can't manage) and how they authenticate to your products or admin.

Like Antti Salo (Ambientia) likes this
Reply
Antti Salo (Ambientia)
Antti Salo (Ambientia)
Contributor
January 20, 2025

Thanks for your reply, David - I came to same conclusion myself.

You'd think admin accounts could be protected better than this, so it's a little alarming. After all, if you can get into admin.atlassian.com you probably can at least invite new accounts and handle their product access and group access (for local groups).

Like David Cowley likes this
Gary Pasquale
Gary Pasquale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 30, 2025

Hi @Antti Salo (Ambientia) 

That’s correct. External user security (when enabled) only prompts users for a step-up when accessing content from one of the supported products. The admin hub itself is not covered. External user security is more about content control vs account level control.

I assume in this use case a third-party agency/consultant is acting as the org admin?

As Atlassian accounts are global, users who are not managed by an organisation can enable two-step verification themselves via https://id.atlassian.com/manage-profile/security. I’ve tested it myself, and any external user logging into the admin hub will be prompted for two-step verification when this is configured.

See: https://support.atlassian.com/atlassian-account/docs/manage-two-step-verification-for-your-atlassian-account/

If the external user is managed by another organisation, this won’t be possible, and whether two-step authentication is enforced will depend on their authentication policies.

As an organisation admin is the highest level of admin who can complete any administrative task in the admin hub, I would lean towards providing them with an account with a verified domain (ext.company-name.com) so they can be controlled as a managed user, provisioned, and authenticated by the company’s identity provider.

Like
Reply
Antti Salo (Ambientia)
Antti Salo (Ambientia)
Contributor
January 30, 2025

Hi Gary,

thank you for your reply.

This indeed is the use case. We are an Atlassian Platinum Partner and do administration to many customers. We have the security in place for all of our users doing the admining, but we've also seen some other external admins and can't know for sure if they are using Atlassian MFA or for example their own organization's SSO & MFA.

I would like to see the possibility to enforce SSO or MFA for admin.atlassian.com users - not only org-admins, but site-admins and user access admins too, as not every company can or will use Atlassian Guard. Otherwise I agree that providing a ext-user account with company MFA / SSO is a good practise.

BR,

Antti

Like
David Cowley
David Cowley
Contributor
January 30, 2025

What might be a viable option for Atlassian to implement is giving us the ability to prevent accounts not authenticated through MFA from accessing the Admin hub. By this I mean not that we suddenly get the ability to enable MFA for those accounts that we don't manage, but that perhaps those accounts have a flag that indicates whether MFA is being used to authenticate them.

We are given the ability to turn on something like "require that Org admins use MFA", so when an account without MFA tries to access the Admin hub they receive a message along the lines of:

This Organization requires that all Org Admins have MFA enabled for their accounts, please enable MFA for your account in order to access the Admin hub.

Like Antti Salo (Ambientia) likes this
Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events