--- title: "Enabling & Managing MFA" slug: "enabling-and-managing-mfa" updated: 2025-10-16T15:45:13Z published: 2025-10-16T15:45:13Z --- > ## Documentation Index > Fetch the complete documentation index at: https://navigator.apprentice.io/llms.txt > Use this file to discover all available pages before exploring further. # Enabling & Managing MFA **Welcome to Apprentice Navigator!** To access the full Apprentice knowledge base, log in to Navigator. To learn more, review the [Logging in to Navigator](https://navigator.apprentice.io/docs/logging-in-to-the-apprentice-knowledge-base-navigator) article. Tempo users that are not otherwise managing their login via Single Sign-On (SSO) have the option to enable Multi-Factor Authentication (MFA) through Google Authenticator on their mobile device. MFA increases account security by requiring multiple pieces of evidence (e.g., the account password and a verification code from an authentication application) before a user may log in to an account. Review the sections below to learn how to enable MFA for your Tempo account. This article is composed of the following sections: - [Installing Google Authenticator on your mobile device](/v1/docs/enabling-and-managing-mfa#installing-google-authenticator-on-your-mobile-device) - [Enabling MFA during log in](/v1/docs/enabling-and-managing-mfa#enabling-mfa-during-log-in) - [Enabling MFA after log in](/v1/docs/enabling-and-managing-mfa#enabling-mfa-after-log-in) - [Changing the mobile device you use for MFA](/v1/docs/enabling-and-managing-mfa#changing-the-mobile-device-you-use-for-mfa) - [Disabling MFA](/v1/docs/enabling-and-managing-mfa#disabling-mfa) - [Managing MFA with SSO](/v1/docs/enabling-and-managing-mfa#managing-mfa-with-sso) ## Installing Google Authenticator on your mobile device 1. Open the relevant app store for your mobile device (e.g., Apple App Store or Google Play) and search for **Google Authenticator**. 2. Locate the Google Authenticator app (published by Google LLC) and tap the **Install** or **Get** button. 3. After the app completes installation, tap **Open** to open the app. Then, complete the steps in either the [Enabling MFA during log in](/v1/docs/enabling-and-managing-mfa#enabling-mfa-during-log-in) or [Enabling MFA after log in](/v1/docs/enabling-and-managing-mfa#enabling-mfa-after-log-in) section below using your mobile device and the Tempo web application. ## Enabling MFA during log in **NOTE:** For more information about logging in to the Tempo web app, review the [Logging in & out of the Tempo Manufacturing Cloud](/v1/docs/logging-in-out-of-the-tempo-manufacturing-cloud) article. During the login process on the Tempo web app, a QR code displays to enable a user to conveniently set up MFA after providing their email address and password. 1. On your mobile device, ensure that the Google Authenticator app is installed and open. - For new Google Authentication apps, select **Get Started** > **Scan a QR Code**. - For existing apps, select the **+** (plus) icon > **Scan a QR Code**. 2. In the Tempo web application, locate the QR code. Use Google Authenticator to scan the QR code with your device's camera. 3. A six-digit code, which changes every 30 seconds, displays within Google Authenticator. To complete the setup process, type the six-digit code into the **Token** field in the Tempo web application, then click **Verify**. This enables MFA for your Tempo account. ## Enabling MFA after log in 1. On the left navigation panel, click *account_circle* **Profile** 2. Click **Security**. 3. In the Multi-Factor Authentication section of the page, click **Enable Multi-Factor Authentication**. A QR code displays. 4. On your mobile device, ensure that the Google Authenticator app is installed and open. - For new Google Authentication apps, select **Get Started** > **Scan a QR Code**. - For existing apps, select the **+** (plus) icon > **Scan a QR Code**. 5. In the Tempo web application, locate the QR code in the Multi-Factor Authentication section. Use Google Authenticator to scan the QR code with your device's camera. 6. A six-digit code, which changes every 30 seconds, displays within Google Authenticator. To complete the setup process, type the six-digit code into the **Token** field in the Tempo web application, then click **Verify**. This enables MFA for your Tempo account. ## Disabling MFA 1. Within the Tempo web application, hover over the left navigation panel, then click **My Profile**. 2. Click **Security**. 3. In the Multi-Factor Authentication section of the page, click **Disable**, then click **Confirm** (if necessary). **TIP:** If you have changed devices or disabled MFA for your Tempo account, you may wish to remove the old credential from your Google Authentication app. Do not remove active credentials, or you may be prevented from logging in to an account. ## Changing the mobile device you use for MFA If you get a new mobile device or need to change devices for another reason, you can disable and re-enable MFA within the Tempo web application. **NOTE:** To change your mobile device using the method below, you must have access to both devices. If you lose the mobile device that you use for MFA, contact your system admin to disable MFA from that device and regain access to your account. 1. On the left navigation panel, click *account_circle* **Profile** 2. Click **Security**. 3. In the Multi-Factor Authentication section of the page, click **Disable**, then click **Confirm** (if necessary). 4. Click **Enable Multi-Factor Authentication**. A QR code displays. 5. On your new mobile device, ensure that the Google Authenticator app is installed and open. - For new Google Authentication apps, select **Get Started** > **Scan a QR Code**. - For existing apps, select the **+** (plus) icon > **Scan a QR Code**. 6. In the Tempo web application, locate the QR code in the Multi-Factor Authentication section. Use Google Authenticator to scan the QR code with your device's camera. 7. A six-digit code, which changes every 30 seconds, displays within Google Authenticator. To complete the setup process, type the six-digit code into the **Token** field in the Tempo web application, then click **Verify**. This replaces the mobile device for MFA for your Tempo account. ## Managing MFA with SSO Purpose: To configure a Conditional Access policy in Microsoft Entra that bypasses MFA for a specific enterprise application when accessed from a trusted network. **Pre-requisites** - Admin access to Microsoft Entra Admin Center - The target application must be registered or integrated with Microsoft Entra ID (Azure AD) - Custom Conditional Access policies should be used (not Security Defaults) - A trusted network (IP range) should be defined for the organization **Steps to Disable MFA for a Specific App on a Trusted Network** **1. LogintoMicrosoftEntraAdminCenter** - URL: [https://entra.microsoft.com](https://entra.microsoft.com) - Sign in with a user who has Conditional Access Administrator or Global Administrator privileges **2. Define a Trusted Network (NamedLocation)** - In the left navigation pane: - Go to: Protection > Conditional Access > Named locations - Click on **+New location** - Name the location (e.g., "Corporate Office Network") - Under **IP ranges**, specify the trusted network's IP range (e.g., 203.0.113.0/24) - **Mark as trusted location** - Click **Create** **3. Review Existing MFA Policies** - Navigate to: Protection > Conditional Access > Policies - Check if there is a policy enforcing MFA for “All cloud apps” or specific users - If such a policy exists, you will **exclude the app** in Step 6 **4. (Optional) Define a User Group for Targeting** - Go to: Identity > Groups > + New group - Create a group such as AppName - No MFA Users if you want this to apply only to specific users **5. Create or Update a Conditional Access Policy** **Option A: *Edit Existing MFA Policy*** - Open the policy that enforces MFA (e.g., “Require MFA for All Users”) - Under **Cloud apps or actions:** - Select **Exclude> Select apps** - Search and exclude the target application (e.g., “Bitwarden Enterprise”) - Under **Locations:** - Select **Include>All locations** - Select **Exclude>Selected locations** - Choose the trusted location (e.g., “Corporate Office Network”) - Click **Save** **Option B: *Create New Policy That Bypasses MFA on Trusted Network*** - Go to: Protection > Conditional Access > Policies > + New policy - Name it: Exclude MFA for AppName from Trusted Network **UnderAssignments:** - **Users**: Select the users/groups who access the app - **Cloud apps**: Choose the specific app (e.g., “Bitwarden”) **Under Conditions:** - **Locations:** - Set **Include> All locations** - Set **Exclude> Selected locations** and select the trusted network (e.g., “Corporate Office Network”) **Under Access Controls:** - **Grant:** - Select **Grant access** - Skip Require multi-factor authentication (no MFA here) - Click **Create** **6. Validate Policy Behavior (What If Tool)** - Go to: Conditional Access > What If - Simulate a sign-in by choosing a user, app, and location - Confirm that the MFA policy **does not apply** when accessing from the trusted network ### ExpectedResult - Users accessing the specified app from the trusted network (defined by IP range) will not be prompted for MFA - MFA continues to apply when accessing the app from non-trusted locations or networks ### ⚠️**Notes&Caveats** **Security Defaults** - Must be **disabled** if you use custom Conditional Access **Risk-based MFA** - Other policies (e.g., risky sign-ins) may still trigger MFA **MFA registration** - This does not prevent users from being prompted to register for MFA **App-specific sessions** - Some apps may cache credentials — always test with incognito/private browsing ### **Rollback Plan- To undo changes:** - Re-enable MFA by either: - Removing the exclusion from the original policy, or - Disabling the “Exclude MFA” policy - Test with the What If tool again to confirm MFA is re-applied