Multifactor Authentication (MFA) Enforcement
To strengthen account protection, reduce credential‑related risk, and help meet compliance requirements, Oracle will begin enforcing multifactor authentication (MFA) for Fusion Applications environments.
When MFA is enforced, the following factors will be available to Fusion Applications users as additional authentication methods:
- SMS
- Oracle Mobile Authenticator Passcode
- Oracle Mobile Authenticator Notification
- Fast ID Online (FIDO) Passkey Authenticator
- Bypass code
The above list is a subset of the authentication factors that Oracle IAM offers. For more information, see Managing Multifactor Authentication and Configuring Authentication Factors.
MFA is a mandatory security control for both production and non-production environments and can't be disabled after it's enforced by Oracle. You can request a temporary exemption, but exemptions are rare, time‑bound, require Oracle product leadership approval, and aren't available as a blanket opt‑out for all environments.
Who's affected?
This MFA enforcement impacts existing Fusion Applications environments that have been upgraded to use new identity domains and are on Release 26A or later. Once these two conditions are met, Oracle will notify you when MFA enforcement will occur. Typically, enforcement will happen with the next quarterly update, but could be later.
(Fusion Applications environments that were newly provisioned in new Fusion Applications environment families after Release 25D are already MFA-enforced, by default.)
This Oracle MFA enforcement doesn't impact users who sign in to their Fusion Applications environments using Single Sign-On (SSO).
When is this happening?
Oracle will start enforcing MFA from Release 26B for eligible environments, and will send an initial notification about the upcoming MFA enforcement approximately three months in advance. Eligible environments are environments that have been upgraded to use identity domains and are on Release 26A or later.
During the three month notification period, you can optionally enforce MFA by yourself. You might want to do this yourself to validate the user experience and support processes.
After the initial notification about the upcoming MFA enforcement, you'll also receive these notifications:
- You'll receive notifications 30 days and then 7 days before the next quarterly update.
- On the day of the quarterly update, you'll be notified once the quarterly update, including MFA enforcement, has started.
- A completion notification will be sent after the maintenance finishes.
If you enforce MFA yourself during the three month notification period, you'll still receive notifications from Oracle about MFA enforcement but your environments won't be impacted.
Here's an overview of the enforcement timeline:
Release 25D
MFA is enforced by default for all newly provisioned environment families.
Release 26A
By default, the following six factors are available to users as additional authentication methods:
- SMS
- Oracle Mobile Authenticator Passcode
- Oracle Mobile Authenticator Notification
- Fast ID Online (FIDO) Passkey Authenticator
- Bypass code
You can select the authentication factors that work for your business in the Security Console. For more information, see Determine the Authentication Factors Available to Users.
Release 26B
Starting with Release 26B or later, eligible customers will be notified 90 days in advance that Oracle MFA enforcement will begin.
Because non-production environments are updated two weeks before production environments, there will be a two week gap between non-production and production environments in terms of MFA enforcement.
Downtime and restrictions
MFA enforcement will be included in the same quarterly update downtime window. There is no separate downtime required.
What do you need to do?
Inform your users about what will happen after MFA takes effect:
- Users will be asked to go through a one-time MFA enrollment process during sign-in.
- After enrollment, users will be required to complete the multifactor authentication process whenever they sign in to their Fusion Applications environment.
Note
This Oracle MFA enforcement doesn't impact users who sign in to their Fusion Applications environments using Single Sign-On (SSO).For user accounts created for automation in non-production environments only, you can optionally configure them to skip MFA enforcement.
For more information, see How can MFA not be enforced on automation users?
When MFA is enforced, the following factors will be available to users as additional authentication methods:
- SMS
- Oracle Mobile Authenticator Passcode
- Oracle Mobile Authenticator Notification
- Fast ID Online (FIDO) Passkey Authenticator
- Bypass code
You can select the authentication factors that work for your business in the Security Console. For more information, see Determine the Authentication Factors Available to Users.
If you enforce MFA yourself during the three month notification period, you'll still receive notifications from Oracle about MFA enforcement but you can ignore them. Your environments won't be impacted.
What Happens After MFA is Enforced?
This is what happens after MFA is enforced:
Impact to users:
- Non‑federated (local) user accounts in the Fusion Applications environment must go through MFA enrollment.
- Users authenticated by your corporate identity provider (IdP) with MFA will continue to follow your IdP's MFA experience.
In this case, Oracle MFA isn't applied to those federated users when they sign in to their Fusion Applications environments using Single Sign-On (SSO).
Environment refreshes:
- MFA configuration and enforcement settings in the target environment are preserved.
- Environment refreshes between environments with different MFA postures are allowed. The environment target keeps its existing posture (it will not be overwritten).
Newly provisioned development / additional test environments (ATEs):
- Non-production environments are updated two weeks before production environments. This means there will be a two week gap between non-production and production environments in terms of MFA enforcement.
During this time, newly provisioned ATEs in an existing environment family will be MFA‑enforced.
- Non-production environments are updated two weeks before production environments. This means there will be a two week gap between non-production and production environments in terms of MFA enforcement.
If you already enforce MFA for your Fusion Applications environments, the scheduled MFA enforcement will do nothing and will have zero impact to your environments.
Viewing the MFA Enforcement Schedule
When MFA enforcement is scheduled for your environments, you can find the following details in the Oracle Cloud Console:
- The quarterly update maintenance item shows MFA enforcement in its details.
- Environment pages will display a banner indicating the upcoming MFA enforcement, starting 30 days before the scheduled MFA enforcement.
The banner will be removed after the quarterly update completes.
- If Oracle performs a standalone enforcement, it appears as an exception maintenance entry.
(No additional downtime is required if MFA enforcement is performed standalone.)
Support
If you have questions, contact Oracle Support by opening a Support Request (SR). Select these options to describe the issue:
- Severity: Technical Issues
- Service Group: Oracle Cloud Applications
- Service: Any Fusion Product
- Service Category: SaaS Console Services (Outage, Provision, P2T/T2T, Resize, Environment and User Management)
- Sub‑Category: Multifactor Authentication
Frequently Asked Questions
No, MFA enforcement doesn't require downtime. Enforcement is applied during the standard quarterly update window.
Yes, MFA will be enforced on both production and non-production environments.
Non-production environments are updated two weeks before production environments. This means there will be a two week gap between non-production and production environments in terms of MFA enforcement.
No, federated users follow your identity provider's MFA. Oracle MFA applies only to local (non‑federated) users.
Note, however, that Oracle will schedule MFA enforcement, but it won't impact users. They will continue to sign in to their Fusion Applications environments using Single Sign-On (SSO).
Yes, you can self‑enforce ahead of time in the Security Console starting with Release 26A. You might want to do this to validate the user experience and support processes.
When MFA is enforced, the following factors will be available for your users:
- SMS
- Oracle Mobile Authenticator Passcode
- Oracle Mobile Authenticator Notification
- Fast ID Online (FIDO) Passkey Authenticator
- Bypass code
Yes. Starting with Release 26A and later, you can enable or disable supported factors in the Security Console and scope enforcement by user category.
See Determine the Authentication Factors Available to Users.
You can exclude newly created automation users from MFA enforcement in non‑production environments. See How can MFA not be enforced on automation users?
For other scenarios, contact Oracle Support to discuss options and recommended patterns.
Yes, MFA configuration and enforcement settings are preserved in the target environment during refresh.
You will receive quarterly update notifications.
In addition, the Cloud Console lists maintenance details which include MFA enforcement, and the Security Console shows MFA policy status.
No, customer self‑service opt‑out is not available.
Temporary exemptions require a Support Request (SR) and Oracle leadership approval. Blanket opt‑out exemptions for all environments is not available.