Roll out MFA to your organisation
In this article:
Learn what to communicate to your organisation before turning on MFA, and how to support users through the change.
This article covers what to tell affected users before MFA is enforced, what the sign-in experience looks like, how to support users who get stuck, and a summary of administrator controls.
MFA reduces the risk of account takeover from compromised passwords. With MFA active, users need a one-time code from an authenticator app as well as their username and password.
Turning on enforcement is recommended if your organisation has a security policy that requires MFA, or if you're completing a compliance or assurance review.
Q: Do I need to notify users before turning on enforcement?
A: You're not required to, but it's strongly recommended. Users will be prompted to set up MFA at their next sign-in, so advance notice helps them prepare.
Q: How long does MFA setup take?
A: Setup usually takes around two minutes once the user has an authenticator app installed.
Q: Does MFA enforcement affect SSO users?
A: No. SSO users sign in through Microsoft Entra ID. Their MFA is managed by Microsoft Entra ID.
Before you start
Check the following:
- You have administrator access to Logiqc system settings.
- You know which users sign in with a username and password.
- You're ready to let users know MFA is coming before you turn it on.
Who is affected by Logiqc MFA?
Logiqc MFA applies to users who sign in directly to Logiqc with a username and password.
Username and password users
These users will be guided through MFA setup at their next sign-in after enforcement is turned on.
SSO users
These users sign in through Microsoft Entra ID. Logiqc MFA enforcement does not apply to them.
What to communicate to users
Before you enable organisation-wide MFA enforcement, let users know:
- MFA will be required at their next sign-in.
- They'll need an authenticator app on their mobile device, such as Google Authenticator, Microsoft Authenticator, or Authy.
- They'll be guided through setup the first time they sign in after MFA is turned on.
- After setup, each sign-in will require a 6-digit code from their authenticator app.
- If they get stuck, they should contact their Logiqc administrator.
Send users these articles:
Logiqc Mobile users
Logiqc Mobile users are also guided through MFA setup when they next sign in after MFA is turned on.
On mobile, users may need to copy the setup key from Logiqc Mobile into their authenticator app. After setup, they use the 6-digit one-time code from the authenticator app when signing in.
For detailed mobile steps, see:
Support users who get stuck
Most users can complete MFA setup without help. For users who do get stuck, the most common situations are:
User can't complete setup
- Ask the user to check that their authenticator app is installed and that they are adding the Logiqc account shown on screen.
- If they are using Logiqc Mobile, they can copy the setup key shown on screen and paste it into their authenticator app when adding the account.
- For step-by-step setup guidance, send them to Set up MFA.
User entered the wrong code or the code expired
- Codes refresh every 30 seconds. The user should wait for a new code and try again.
- If codes consistently fail, the time on their mobile device may need to be set to automatic in device settings.
- For sign-in troubleshooting, send them to Sign in with MFA.
User has lost access to their authenticator app
- This is the situation that requires administrator action.
- Reset their MFA from user administration. See Reset a user's MFA.
- Once reset, the user can sign in and go through MFA setup again.
Administrator reference
Use this table as a quick reference for the MFA actions available to administrators.
| Situation | What to do |
|---|---|
| Require MFA for users who sign in with username and password | Turn on MFA enforcement. See Turn on MFA for your organisation. |
| Enable MFA for one user only | Use the MFA toggle in the user's account. See Manage MFA for individual users. |
| Disable MFA for one user | Use the MFA toggle, only available when organisation-wide enforcement is off. See Manage MFA for individual users. |
| User is locked out of their authenticator app | Use Reset MFA in the user's account. See Reset a user's MFA. |
| SSO user needs MFA support | Direct them to your Microsoft Entra ID administrator. Logiqc does not manage SSO MFA. |
What happens next
Once MFA enforcement is turned on, users who sign in with a username and password will be prompted to set up MFA at their next sign-in.
After setup is complete, they use a 6-digit code from their authenticator app each time they sign in. Day-to-day, there is nothing else to manage unless a user needs their MFA reset.
To keep going, see:
Watch this space
This tutorial is still being written. A step-by-step Academy video will be available soon.