It sounds like you have a complex identity management setup with various types of users accessing your applications. To address the requirement of enforcing MFA (OTP) at the user level rather than the application level, you might need to adjust your approach slightly. Here's a suggestion on how you could resolve this:
-
Customize User Registration Process: When creating user accounts manually within FusionAuth, you can customize the registration process to include mandatory enrollment of MFA (OTP). This could involve adding a step during account creation where users are prompted to set up MFA, and they can't proceed without completing this step.
-
Use FusionAuth Hooks or Lambda Functions: FusionAuth provides hooks or Lambda functions that allow you to execute custom logic during various events, such as user registration. You can leverage these hooks to enforce MFA enrollment for manually created user accounts. For example, you could write a custom hook that checks if the user account was created manually and if so, requires MFA enrollment before allowing the account creation process to complete.
-
Communicate MFA Requirement Clearly: Ensure that users are aware of the MFA requirement during the account creation process. Provide clear instructions on how to set up MFA and why it's necessary for their security. This helps in ensuring user compliance with the MFA enrollment process.
-
User Education and Support: Offer resources and support to assist users in setting up MFA. This could include documentation, tutorials, or even direct support channels where users can get assistance if they encounter any issues during the MFA enrollment process.
By implementing these steps, you can enforce MFA (OTP) at the user level for manually created accounts within FusionAuth, while still allowing federated Azure customers to access your applications seamlessly without requiring an additional layer of authentication.