---
title: >-
  Identity domains should have an active sign-on policy that enforces MFA for
  OCI console access
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Identity domains should have an active
  sign-on policy that enforces MFA for OCI console access
---

# Identity domains should have an active sign-on policy that enforces MFA for OCI console access
 
## Description{% #description %}

Multi-factor authentication (MFA) is an essential security control that requires users to provide additional verification beyond passwords. Identity domains should have an active console sign-on policy that enforces MFA for all users to protect against credential-based attacks and unauthorized access. Appropriate sign-on policies should be configured for each identity domain to ensure comprehensive protection across your tenancy. If necessary, the "Exclude users" setting in a sign-on policy rule can be used to exclude "break glass" type emergency access user accounts from MFA requirements.

## Remediation{% #remediation %}

In identity domain policy settings, update either `Security Policy for OCI Console` or `Default Sign-On Policy`, and ensure that the policy has the following settings configured:

- Policy `Status` is `Activated`
- At least one policy rule has `Action` set to `Allow access` and `Prompt for an additional factor` is enabled

**Note**: Factor settings can be configured to `Any factor` or `Specified factors only` as appropriate.

For further guidance on configuring sign-on policies and MFA in OCI Identity Domains, see the [Managing Sign-On Policies](https://docs.oracle.com/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm) section of the Oracle Cloud Infrastructure Documentation.