DataDog · dd-mergequeue · Dec 16, 2024 · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024
@@ -17,21 +17,35 @@ The following login methods are available:
 
 ## Enabling or disabling a default login method
 
-As an organization manager you can enable or disable the default login methods for your organization. New organizations start with **Datadog Username and Password** and **Sign in with Google** enabled and configured for all organizations and users. After you configure SAML, **Sign in with SAML** is also enabled.
+As an organization manager, you can enable or disable the default login methods for your organization. New organizations start with **Datadog Username and Password** and **Sign in with Google** enabled and configured for all organizations and users. After you configure SAML, **Sign in with SAML** is also enabled.
 
 1. Navigate to [Login Methods][3].
 2. Set the **Enabled by Default** setting for each method to `On` or `Off`, according to your organization's preference or policy requirements.
 3. Confirm your selection.
 
 **Note**: You cannot disable all login methods for an organization. At least one login method must be enabled by default for your organization.
 
+## Requiring Multi-factor Authentication
+
+For enhanced security, organization managers can enforce [Multi-factor Authentication][4] (MFA) for all users in the organization that log in with an email and password.
+
+1. Navigate to [Login Methods][3].
+2. Set the **Require Multi-Factor Authentication** setting to `On` or `Off`, according to your organization's preference or policy requirements.
+3. Confirm your selection.
+
+Setting **Require Multi-Factor Authentication** to `On` has two effects:
+- Users that log in with an email and password must register a second authentication factor before accessing the organization.
+- In Login Methods, a link to [**View users without MFA**][5] appears. Click on the link to see the users list, filtered on users without MFA.
+
+The setting to require multi-factor authentication is independent of the default login method settings. Regardless of which login methods you enable by default, enforcing MFA requires a second authentication factor for users that log in with an email and password.
+
 ## Reviewing user overrides
 
 Using overrides, you can change the available login methods for individual users. In the following example, **Sign in with Google** is Off by default in the organization, but one user has it enabled by having an override set.
 
-{{< img src="account_management/login_methods_disabled_overrides_set.png" alt="Login method disabled, with user override enabled" style="width:80%;">}}
+{{< img src="account_management/login_methods_enabled_off.png" alt="Login method disabled, with user override enabled" style="width:80%;">}}
 
-In [User Management][4], you can filter users by the override methods set, or view users who have the Default login methods enabled:
+In [User Management][6], you can filter users by the override methods set, or view users who have the Default login methods enabled:
 
 {{< img src="account_management/users/user_page_login_methods_override_view.png" alt="User Management view filtered to show users by login methods set." style="width:80%;">}}
 
@@ -40,4 +54,6 @@ You can edit the user's overrides or remove the override altogether to allow the
 [1]: /account_management/users/#edit-a-users-login-methods
 [2]: /account_management/saml/
 [3]: https://app.datadoghq.com/organization-settings/login-methods
-[4]: https://app.datadoghq.com/organization-settings/users
+[4]: /account_management/multi-factor_authentication/
+[5]: https://app.datadoghq.com/organization-settings/users?filter%5Ballowed_login_methods%5D=standard&filter%5Bmfa_enabled%5D=false&filter%5Bstatus%5D=Active
+[6]: https://app.datadoghq.com/organization-settings/users
@@ -10,6 +10,7 @@ Multi-Factor Authentication (MFA), or Two-Factor Authentication (2FA) requires a
 
 -   **MFA for native Datadog accounts**: MFA is available as an extra layer of security during login for accounts that log into Datadog directly using an email and password. Native email/password accounts are more vulnerable to attack than accounts maintained through an identity provider.
 -   **Opt-in MFA**: MFA is available for end users as an optional feature. Enable MFA at any time through your personal settings.
+-   **Mandatory MFA**: Administrators can require all users in an organization that log in with an email and password to register a second authentication factor before accessing the organization. To turn on MFA enforcement, see [Login methods][1]. 
 -   **Authenticator apps**: Any authenticator app that supports time-based one-time password (TOTP) authentication can be used for MFA. Examples include Microsoft Authenticator, Google Authenticator, Authy, and Duo.
 
 ## Limitations
@@ -24,7 +25,7 @@ To configure MFA for your account, log in using your **email and password**. Use
 
 ## Configure MFA for your user account
 
-To find the [Password & Authentication page][1]:
+To find the [Password & Authentication page][2]:
 
 1. Ensure you are logged in with a username and password combination, not through SSO.
 1. Navigate to **Personal Settings** from your account menu.
@@ -47,7 +48,7 @@ To view if a user has MFA configured or not, you can filter on the Users table.
 
 If you don't have access to your authenticator app, during the login process you can use a recovery code instead of a one-time password. Each of the recovery codes can only be used once.
 
-1. Navigate to the [login page][2].
+1. Navigate to the [login page][3].
 1. Enter your email address and password, then select **Log in**.
 1. Select **Don't have access to your authenticator?**
 1. Enter one of your unused recovery codes and click **Verify**.
@@ -56,7 +57,7 @@ If you don't have access to your authenticator app, during the login process you
 
 If you don't have access to your authenticator app or recovery codes, during the login process you can request a one-time recovery link via email.
 
-1. Navigate to the [login page][2].
+1. Navigate to the [login page][3].
 1. Enter your email address and password, then select **Log in**.
 1. Select **Don't have access to your authenticator?**
 1. Select **Don't have access to your recovery codes? Get a one time recovery link via email.**
@@ -65,5 +66,6 @@ If you don't have access to your authenticator app or recovery codes, during the
 
 If you have lost access to your registered authenticator app, Datadog recommends that you remove the lost device and add a new one. Maintaining a valid authenticator app helps prevent issues logging into your account in the future.
 
-[1]: https://app.datadoghq.com/personal-settings/password-and-authentication
-[2]: https://app.datadoghq.com
+[1]: /account_management/login_methods/#requiring-multi-factor-authentication
+[2]: https://app.datadoghq.com/personal-settings/password-and-authentication
+[3]: https://app.datadoghq.com