Meraki

Community

Is it possible to exempt an account from 2FA if it is enforced at the organization level?

Solved
JesusCasero
Here to help
‎May 31 2022 1:26 AM
‎May 31 2022 1:26 AM

Is it possible to exempt an account from 2FA if it is enforced at the organization level?

I need programmatic access to the Dashboard API of an MSP customer and I am provisioning an administrative account that would be pretty much unmanned but with access to all the current and upcoming organizations.

 

My question is: if 2FA is enforced at the organization level, is there any way to exempt specific accounts of adhering to the 2FA requirement?

 

The account will authenticate to the dashboard API using the API key generated for the account, rarely it will be used for interactive sessions, only as soon as it is given access to new organizations and login to the GUI is required to validate the addition. I'd like to avoid binding the second factor to SMS received on a phone number or a Google Authenticator OTP.

 

Thanks in advance!

0 Kudos
1 Accepted Solution
Bettencourt
Meraki Employee
Meraki Employee
‎May 31 2022 2:12 AM
‎May 31 2022 2:12 AM

Hello,

 

There isn't a way to disable 2FA for certain accounts if it is being enforced globally.

View solution in original post

6 Replies 6
Bettencourt
Meraki Employee
Meraki Employee
‎May 31 2022 2:12 AM
‎May 31 2022 2:12 AM

Hello,

 

There isn't a way to disable 2FA for certain accounts if it is being enforced globally.

In response to Bettencourt
JesusCasero
Here to help
‎May 31 2022 2:14 AM
‎May 31 2022 2:14 AM

I was afraid that would be the case but I needed to ask. Thank you!

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 31 2022 2:12 PM
‎May 31 2022 2:12 PM

MFA is only used for interactive authentication.  It is not used for API access.

0 Kudos
In response to PhilipDAth
JesusCasero
Here to help
‎May 31 2022 2:20 PM
‎May 31 2022 2:20 PM

Thanks for the clarification, I am aware that it won't be an issue for programmatic access but interactive login will be also required from time to time:

 

"The account will authenticate to the dashboard API using the API key generated for the account, rarely it will be used for interactive sessions, only as soon as it is given access to new organizations and login to the GUI is required to validate the addition"

 

Regards,

 

JC

0 Kudos
In response to JesusCasero
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 31 2022 2:22 PM
‎May 31 2022 2:22 PM

If the issue is having to use TXT messages - why don't you use the QR code and something like Microsoft or Google Authenticator?

You can load the QR code onto as many phones as you like (or even use something like Authy from a computer).

0 Kudos
In response to PhilipDAth
JesusCasero
Here to help
‎Jun 1 2022 3:33 PM
‎Jun 1 2022 3:33 PM

Hi Philip,

 

Thanks for the suggestions, appreciated. However, the only option that fits for purpose in this case from the Day 2 perspective is to override 2FA. Obviously, since it is not technically possible, we will need to put a small IAM process around this account.

 

Regards,

 

JC

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.