Enabling MFA Enforcement in Google Workspace

Remediations

5 mins

To allow Rotate to perform one-click MFA enforcement in your Google Workspace tenant, a one-time manual setup is required by an administrator. This enables Rotate to enforce MFA safely and securely without risking user lockout.

🛡️ How MFA Enforcement Works in Rotate

When using Rotate's one-click MFA enforcement:

If the user has MFA disabled, Rotate will not enforce MFA, to avoid locking the user out.
If the user has MFA enabled, Rotate will:
1. Add the user to a special group: Mfa Enforced Group.
2. This group must have a Google policy that enforces 2-step verification.
3. MFA enforcement takes effect based on this group's policy.

⚠️ Important: Google does not allow this group-based MFA policy to be configured via API. You must manually configure it once as an admin.

✅ One-Time Setup Instructions (Admin Only)

To enable Rotate's enforcement to work, follow these steps:

Log in to your Google Admin console.
In the left sidebar, go to:

Security → Authentication → 2-step verification
Locate the group called mfa_enforced_group@yourdomain.com.
Under the Enforcement section:
- Choose "On" to enforce MFA immediately.
  
  OR
- Choose "On from" to set a future enforcement date.
(Optional) Adjust other settings:
- New user enrollment period: Set grace time before enforcement applies.
- Frequency: Choose if users can "trust" devices.
- Methods: Keep as "Any" unless you want to restrict options.

🔁 Recap of User MFA States

User Status	Rotate Behavior
MFA not enabled, not enforced	🚫 Do not enforce (to avoid lockout)
MFA not enabled, enforcement active	🔒 User may be locked out
MFA enabled, not enforced	✅ Safe to enforce via group
MFA enabled, enforced	🔒 Already protected

📌 Notes

The group Mfa Enforced Group is automatically created by Rotate.
Enforcement settings must be applied once manually.
This setup allows Rotate to maintain security without interrupting user access.
Rotate adds the users with enabled MFA to the group anyway, but the enforcement will take place only after you configure the group as described.

Let us know if you need help configuring your workspace — our support team is ready to assist.

Frequently Asked Questions

Sign-ins

What is an "Impossible Travel" sign-in event?

This occurs when a user logs in from two distant locations within a time period that would be physically impossible. For example:

8:00 AM: Sign-in from New York.
8:15 AM: Sign-in from London. This indicates possible account compromise or session hijacking.

Why is sign-in monitoring important for security?

Sign-in logs help detect unauthorized access attempts, brute-force attacks, and compromised accounts. Reviewing sign-ins can reveal impossible travel scenarios, MFA bypass attempts, or login anomalies that indicate potential breaches.

How can creating policies help enhance security?

Creating policies allows you to:

Proactively Manage Threats: Implement rules that automatically respond to unusual or unauthorized activities, helping to mitigate potential risks before they escalate.
Customize Security Measures: Tailor security settings to fit the unique needs of your organization, ensuring that protective measures align with your specific security goals.
Ensure Compliance: Maintain compliance with regulatory requirements by enforcing consistent policies that govern data access and user behavior.

Remediations

How to enforce MFA on a user

To enforce Multi-Factor Authentication (MFA) on a user in our platform, follow these steps:

Go to Identity Hub.
Click on the selected user.
Navigate to the Remediations tab.
Scroll to the Enforce MFA section.
Select the application where you wish to enforce MFA for the user.
Click Enforce.

MFA will then be enforced for the user on the selected application.

How to reset a user password

To reset a user’s password on our platform, follow these steps:

Go to Identity Hub.
Click on the selected user.
Navigate to the Remediations tab.
Scroll to the Reset Password section.
Select the integration where you wish to reset the user's password.
Click Reset Password.
Follow any additional instructions if prompted.

The user’s password will then be reset according to the selected integration’s requirements.

How to Suspend a User

How to suspend a user

To suspend a user on our platform, follow these steps:

Go to Identity Hub.
Click on the selected user.
Navigate to the Remediations tab.
Scroll to the Suspend Account section.
Select the integrations from which you'd like to suspend the user.
Click Suspend.

The user will then be suspended from the chosen integrations.

General

How Rotate Enhances Identity Security

Rotate's Identity Hub offers a comprehensive suite of features designed to strengthen your organization's identity security:

User and Device Management: Gain visibility into user details, monitor actions, and manage connected devices and applications.
Security Enforcement: Enforce Multi-Factor Authentication (MFA) and strong password policies, and enroll employees in security awareness training programs.
Remediation Actions: Quickly respond to threats by suspending accounts, resetting passwords, disconnecting users from all apps and devices, and enforcing MFA.
Access Monitoring and Anomaly Detection: Track login behaviors with geo-location heatmaps and AI-driven insights to detect risky activities and anomalies, such as impossible travel or suspicious login times and locations.
Policy Management: Create and enforce security policies with specific actions like alerts or restrictions to address potential threats.

By integrating these capabilities, Rotate's Identity Hub provides a robust framework to protect your organization against identity-related threats.

Enabling MFA Enforcement in Google Workspace

🛡️ How MFA Enforcement Works in Rotate​

✅ One-Time Setup Instructions (Admin Only)​

🔁 Recap of User MFA States​

📌 Notes​