Oracle’s MFA policy for Oracle Cloud Infrastructure (OCI)

Oracle’s MFA policy for Oracle Cloud Infrastructure (OCI) – Navigating Multi-Factor Authentication

Tej Bople
Brovanture Consultant

Oracle’s MFA policy for Oracle Cloud Infrastructure (OCI) – Navigating Multi-Factor Authentication

A Guide for Customers – Introduction

As part of its ongoing commitment to enhancing security measures, Oracle has announced the implementation of Multi-Factor Authentication (MFA) in Oracle Cloud Infrastructure (OCI) for all customers. This move is aimed at bolstering the protection of sensitive data and safeguarding against potential security threats.

The OCI MFA Policy Overview states that the MFA policy, named “Security Policy for OCI Console,” will be created by Oracle for customers who do not have Single Sign-On (SSO) configured. The activation of this policy will be carried out in batches, commencing from 20th July. This includes both recently migrated customers to OCI Gen2 and existing OCI customers.

Oracle’s MFA policy for Oracle Cloud Infrastructure (OCI)

How to avoid MFA

While MFA is highly recommended for its added layers of security, some customers may have concerns or queries about its implementation. In this blog, we will delve into the details of Oracle’s MFA policy for OCI and explore the available options for customers to navigate this change effectively. We recommend following two options:

Option 1: Activate Policy and Exclude Users

One approach to handle the MFA activation is to keep only essential users under the policy, leaving out others. Here’s how you can execute this option:

1. Create an Identity Domain Administrator User

Start by creating a new admin user, who will have the authority to manage the MFA policy and other administrative tasks. Once the admin user is in place, exclude all other users from the MFA policy. This ensures that only authorized administrator will be affected by the MFA requirement.

2. Create a Temporary User

To effectively implement the policy, select a temporary user as the sole entity subject to MFA. This approach allows you to thoroughly test the MFA workflow while minimizing its impact on users.

Oracle’s MFA policy for Oracle Cloud Infrastructure (OCI)

Option 2: Deleting the MFA Policy For customers who wish to avoid MFA activation altogether

Oracle has confirmed that once the MFA policy is deleted, it will not be recreated. Here’s how you can proceed with this option:

1. Identity Domain Administrator Privilege

Ensure that the user is Identity Domain Administrator to delete policies.

2. Deleting the MFA Policy

The Identity Domain Administrator can then proceed to delete the MFA policy, effectively bypassing MFA requirements for all users.


Multi-Factor Authentication (MFA) is a vital aspect of modern cybersecurity, providing an extra layer of protection for cloud infrastructure and user accounts. While Oracle Cloud Infrastructure (OCI) implements MFA to enhance security, customers have the flexibility to choose from two available options to navigate this change effectively. Whether it is configuring MFA for a select group of users or opting to delete the policy altogether, customers can make informed decisions based on their unique security requirements.

Remember, while MFA may cause initial concerns, its implementation will provide peace of mind and strengthen the overall security posture of your organization’s OCI infrastructure. Stay safe, secure, and ahead in the cloud journey!

Until next time


All our blogs can be seen HERE