Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

admin.atlassian.com MFA enforcement missing

Antti Salo _Ambientia_
Antti Salo _Ambientia_
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 19, 2025

 

Hi!

I've been trying to find a way how to enforce MFA for external admins in admin.atlassian.com but it seems this can't be done. I asked about this from Atlassian Support, and apparently external user mfa (the email verification) applies only when accessing products (Jira, Confluence).

So, when an organization has external admins who need to use admin.atlassian.com, we have a potential security issue, as there seems to be no technical way to verify or to enforce them to use MFA when accessing admin.atlassian.com.

Does anyone have a solution for this? Am I missing something?

BR,
Antti Salo, Solutions Expert @ Ambientia Group Oy, Atlassian Platinum Partner
Comment
Watch
Like # people like this
179 views

2 comments

Comment

Log in or Sign up to comment
Steven Haworth
Steven Haworth
Contributor
January 20, 2025

I don't have any answers, but I'd like the same functionality available.

Like # people like this
Reply
David Cowley
David Cowley
Contributor
January 20, 2025

I likewise have no answers, if those external admins are part of another organization and that organization is managing their domain, that organization can use an identity provider and that identity provider could require MFA/2FA, but as an external organization and a domain that you don't claim/manage there's no ability to view or change the authentication policy that they impose and whether it includes the MFA/2FA.

So it's possible that these external admins are authenticating using MFA, but it's not something you can control. There's much room for improvement when dealing with accounts for domains you don't (or can't manage) and how they authenticate to your products or admin.

Like Antti Salo _Ambientia_ likes this
Reply
Antti Salo _Ambientia_
Antti Salo _Ambientia_
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 20, 2025

Thanks for your reply, David - I came to same conclusion myself.

You'd think admin accounts could be protected better than this, so it's a little alarming. After all, if you can get into admin.atlassian.com you probably can at least invite new accounts and handle their product access and group access (for local groups).

Like David Cowley likes this
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events