Login
      Contents x
      Enabling & Managing MFA
      • 17 Apr 2025
      • 6 Minutes to read
      • Print
      • Dark
        Light
      Contents

      Enabling & Managing MFA

      • Updated on 17 Apr 2025
      • 6 Minutes to read
      • Print
      • Dark
        Light
      Article summary

      Welcome to Apprentice Navigator!
      To access the full Apprentice knowledge base, log in to Navigator. To learn more, review the Logging in to Navigator article.

      Who can use this feature?
        🌐 ✔️ MES (v6.5.X, v7.X.X) ✔️ AWI (v6.5.X, v7.X.X) ✔️ LES (v6.5.X, v7.X.X) ✔️ Tandem (v6.5.X, v7.X.X)
        💻 Web app
        👤 All users


      Tempo users that are not otherwise managing their login via Single Sign-On (SSO) have the option to enable Multi-Factor Authentication (MFA) through Google Authenticator on their mobile device.

      MFA increases account security by requiring multiple pieces of evidence (e.g., the account password and a verification code from an authentication application) before a user may log in to an account. Review the sections below to learn how to enable MFA for your Tempo account.

      This article is composed of the following sections:

      Installing Google Authenticator on your mobile device

      1. Open the relevant app store for your mobile device (e.g., Apple App Store or Google Play) and search for Google Authenticator.
      2. Locate the Google Authenticator app (published by Google LLC) and tap the Install or Get button.
      3. After the app completes installation, tap Open to open the app. Then, complete the steps in either the Enabling MFA during log in or Enabling MFA after log in section below using your mobile device and the Tempo web application.

      Enabling MFA during log in

      NOTE:

      For more information about logging in to the Tempo web app, review the Logging in & out of the Tempo Manufacturing Cloud article.

      During the login process on the Tempo web app, a QR code displays to enable a user to conveniently set up MFA after providing their email address and password.

      1. On your mobile device, ensure that the Google Authenticator app is installed and open.
        • For new Google Authentication apps, select Get Started > Scan a QR Code.
        • For existing apps, select the + (plus) icon > Scan a QR Code.
      2. In the Tempo web application, locate the QR code. Use Google Authenticator to scan the QR code with your device's camera.
      3. A six-digit code, which changes every 30 seconds, displays within Google Authenticator. To complete the setup process, type the six-digit code into the Token field in the Tempo web application, then click Verify. This enables MFA for your Tempo account.

      Enabling MFA after log in

      1. On the left navigation panel, click account_circle Profile
      2. Click Security.
      3. In the Multi-Factor Authentication section of the page, click Enable Multi-Factor Authentication. A QR code displays.
      4. On your mobile device, ensure that the Google Authenticator app is installed and open.
        • For new Google Authentication apps, select Get Started > Scan a QR Code.
        • For existing apps, select the + (plus) icon > Scan a QR Code.
      5. In the Tempo web application, locate the QR code in the Multi-Factor Authentication section. Use Google Authenticator to scan the QR code with your device's camera.
      6. A six-digit code, which changes every 30 seconds, displays within Google Authenticator. To complete the setup process, type the six-digit code into the Token field in the Tempo web application, then click Verify. This enables MFA for your Tempo account.

      Disabling MFA

      1. Within the Tempo web application, hover over the left navigation panel, then click My Profile.
      2. Click Security.
      3. In the Multi-Factor Authentication section of the page, click Disable, then click Confirm (if necessary).
      TIP:

      If you have changed devices or disabled MFA for your Tempo account, you may wish to remove the old credential from your Google Authentication app. Do not remove active credentials, or you may be prevented from logging in to an account.

      Changing the mobile device you use for MFA

      If you get a new mobile device or need to change devices for another reason, you can disable and re-enable MFA within the Tempo web application.

      NOTE:

      To change your mobile device using the method below, you must have access to both devices. If you lose the mobile device that you use for MFA, contact your system admin to disable MFA from that device and regain access to your account.

      1. On the left navigation panel, click account_circle Profile
      2. Click Security.
      3. In the Multi-Factor Authentication section of the page, click Disable, then click Confirm (if necessary).
      4. Click Enable Multi-Factor Authentication. A QR code displays.
      5. On your new mobile device, ensure that the Google Authenticator app is installed and open.
        • For new Google Authentication apps, select Get Started > Scan a QR Code.
        • For existing apps, select the + (plus) icon > Scan a QR Code.
      6. In the Tempo web application, locate the QR code in the Multi-Factor Authentication section. Use Google Authenticator to scan the QR code with your device's camera.
      7. A six-digit code, which changes every 30 seconds, displays within Google Authenticator. To complete the setup process, type the six-digit code into the Token field in the Tempo web application, then click Verify. This replaces the mobile device for MFA for your Tempo account.

      Managing MFA with SSO

      Purpose: To configure a Conditional Access policy in Microsoft Entra that bypasses MFA for a specific enterprise application when accessed from a trusted network.
      Pre-requisites

      • Admin access to Microsoft Entra Admin Center
      • The target application must be registered or integrated with Microsoft Entra ID (Azure AD)
      • Custom Conditional Access policies should be used (not Security Defaults)
      • A trusted network (IP range) should be defined for the organization

      Steps to Disable MFA for a Specific App on a Trusted Network
      1. LogintoMicrosoftEntraAdminCenter

      • URL: https://entra.microsoft.com

      • Sign in with a user who has Conditional Access Administrator or Global Administrator privileges
        2. Define a Trusted Network (NamedLocation)

      • In the left navigation pane:

        • Go to: Protection > Conditional Access > Named locations
        • Click on +New location
        • Name the location (e.g., "Corporate Office Network")
        • Under IP ranges, specify the trusted network's IP range (e.g., 203.0.113.0/24)
        • Mark as trusted location
        • Click Create
          3. Review Existing MFA Policies

      • Navigate to:
        Protection > Conditional Access > Policies

      • Check if there is a policy enforcing MFA for “All cloud apps” or specific users

      • If such a policy exists, you will exclude the app in Step 6

      4. (Optional) Define a User Group for Targeting

      • Go to:
        Identity > Groups > + New group

      • Create a group such as AppName - No MFA Users if you want this to apply only to specific users
        5. Create or Update a Conditional Access Policy
        Option A: Edit Existing MFA Policy

      • Open the policy that enforces MFA (e.g., “Require MFA for All Users”)

      • Under Cloud apps or actions:

        • Select Exclude> Select apps
        • Search and exclude the target application (e.g., “Bitwarden Enterprise”)

      • Under Locations:

        • Select Include>All locations
        • Select Exclude>Selected locations
        • Choose the trusted location (e.g., “Corporate Office Network”)
        • Click Save
          Option B: Create New Policy That Bypasses MFA on Trusted Network

      • Go to:
        Protection > Conditional Access > Policies > + New policy

      • Name it: Exclude MFA for AppName from Trusted Network
        UnderAssignments:

      • Users: Select the users/groups who access the app

      • Cloud apps: Choose the specific app (e.g., “Bitwarden”)
        Under Conditions:

      • Locations:

        • Set Include> All locations
        • Set Exclude> Selected locations and select the trusted
          network (e.g., “Corporate Office Network”)

      Under Access Controls:

      • Grant:

        • Select Grant access
        • Skip Require multi-factor authentication (no MFA here)
        • Click Create
          6. Validate Policy Behavior (What If Tool)

      • Go to:
        Conditional Access > What If

      • Simulate a sign-in by choosing a user, app, and location

      • Confirm that the MFA policy does not apply when accessing from the trusted network

      ExpectedResult

      • Users accessing the specified app from the trusted network (defined by IP range) will not be prompted for MFA
      • MFA continues to apply when accessing the app from non-trusted locations or networks

      ⚠️Notes&Caveats

      Security Defaults

      • Must be disabled if you use custom Conditional Access

      Risk-based MFA

      • Other policies (e.g., risky sign-ins) may still trigger MFA

      MFA registration

      • This does not prevent users from being prompted to
        register for MFA

      App-specific sessions

      • Some apps may cache credentials — always test with

      incognito/private browsing

      Rollback Plan- To undo changes:

      • Re-enable MFA by either:
        • Removing the exclusion from the original policy, or
        • Disabling the “Exclude MFA” policy
      • Test with the What If tool again to confirm MFA is re-applied
      What's Next
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout