Hey everyone,
My organization already uses Microsoft Entra ID (Azure) and Okta for all our corporate logins. Instead of managing separate MFA codes inside the Hexnode portal, is there a way to just “offload” the authentication to our existing Identity Providers?
9 Views
Hey @ethan_! Absolutely. If you’re already using an IdP, it’s much more efficient to enforce MFA at that level. This way, your technicians are challenged by your corporate security policies before they even reach the Hexnode portal.
To set this up:
Navigate to Admin > Logon Restrictions.
Scroll to Global SSO Login Settings.
Under Allowed SSO logins, check the boxes for your providers (Microsoft, Google, or Okta).
Once enabled, you can essentially let your IdP handle the “heavy lifting” of multi-factor verification.
That’s perfect. One more thing—what happens if one of my admins loses their phone or their Authenticator app starts giving “Invalid Code” errors? Is there a “break-glass” procedure?
Great questions. Here is a quick reference table for those scenarios:
|
Issue |
Solution |
|
Invalid App Code |
Ensure the phone’s time/date settings are set to Automatic. TOTP codes are time-sensitive; even a one-minute drift will cause a failure. |
|
Lost Device |
A Super Admin can go to that technician’s profile and click Reconfigure Authenticator app. This kills the old link and generates a new QR code. |
|
Portal Lockout |
Best Practice: Always have at least two Super Admins with MFA enabled on different devices. This prevents a single point of failure from locking you out. |
Important Note on Session Security:
Hexnode will automatically force a logout if someone tries to log into the same account from two different browsers or devices at the same time. We also recommend setting up a Logout Automatically timer under the technician’s profile for added security!
Don't have an account? Sign up
