Is it possible to exempt an account from 2FA if it is enforced at the organization level?

SOLVED
JesusCasero
Here to help

Is it possible to exempt an account from 2FA if it is enforced at the organization level?

I need programmatic access to the Dashboard API of an MSP customer and I am provisioning an administrative account that would be pretty much unmanned but with access to all the current and upcoming organizations.

 

My question is: if 2FA is enforced at the organization level, is there any way to exempt specific accounts of adhering to the 2FA requirement?

 

The account will authenticate to the dashboard API using the API key generated for the account, rarely it will be used for interactive sessions, only as soon as it is given access to new organizations and login to the GUI is required to validate the addition. I'd like to avoid binding the second factor to SMS received on a phone number or a Google Authenticator OTP.

 

Thanks in advance!

1 ACCEPTED SOLUTION
Bettencourt
Meraki Employee
Meraki Employee

Hello,

 

There isn't a way to disable 2FA for certain accounts if it is being enforced globally.

View solution in original post

6 REPLIES 6
Bettencourt
Meraki Employee
Meraki Employee

Hello,

 

There isn't a way to disable 2FA for certain accounts if it is being enforced globally.

I was afraid that would be the case but I needed to ask. Thank you!

PhilipDAth
Kind of a big deal
Kind of a big deal

MFA is only used for interactive authentication.  It is not used for API access.

Thanks for the clarification, I am aware that it won't be an issue for programmatic access but interactive login will be also required from time to time:

 

"The account will authenticate to the dashboard API using the API key generated for the account, rarely it will be used for interactive sessions, only as soon as it is given access to new organizations and login to the GUI is required to validate the addition"

 

Regards,

 

JC

If the issue is having to use TXT messages - why don't you use the QR code and something like Microsoft or Google Authenticator?

You can load the QR code onto as many phones as you like (or even use something like Authy from a computer).

Hi Philip,

 

Thanks for the suggestions, appreciated. However, the only option that fits for purpose in this case from the Day 2 perspective is to override 2FA. Obviously, since it is not technically possible, we will need to put a small IAM process around this account.

 

Regards,

 

JC

Get notified when there are additional replies to this discussion.