As an administrator, you can force users to use their corporate Microsoft Entra ID account to sign in or to use multifactor authentication (MFA) for their custom account. You can enforce these account types when inviting new users, but it is also possible to change the account types for existing users.
Restrict account type - new users
When inviting the user, you have 3 options under Account type restriction:
-
Any
The user will have no account type restriction. After accepting the invitation, the user can choose the account type they wish to use: a custom account or an account linked to their Microsoft Entra ID. If the user opts for a custom account, it is also up to them to choose whether to enable MFA. -
Microsoft Entra ID
With this option, you force the user to use their corporate (Microsoft Entra ID) account to sign in. After accepting the invitation, the user will only be able to select the account type Microsoft Entra ID (more info). -
Custom with MFA
With this option, you force the user to only use an account with MFA enabled. The user will not be able to disable MFA. After accepting the invitation, the user will only be able to select Create account or Sign in (more info).
Microsoft Entra ID is recommended if this is possible for the invited user. The main advantage of this account type is that if the user leaves the organization, they immediately lose access to the Priva Digital Services as soon as their corporate Entra ID account is disabled or deleted, without necessarily being removed in Access Control. Note that, even though this person no longer has access to the Priva Digital Services, this person will still be listed as a user in Access Control.
If Microsoft Entra ID is not possible for the invited user, then it is recommended to force them to create a Custom with MFA account to enforce extra security.
Restrict account type - existing users
It is also possible to change the account type for existing users: go to the page of a user > click on the three dots > Change account type / Enforce MFA. There are 3 options:
-
Change account type (to Entra ID)
Custom account (with or without MFA) > Microsoft Entra ID -
Change account type (to MFA)
Custom account without MFA > Custom account with MFA enforced -
Enforce MFA
Custom account with MFA enabled by user > Custom account with MFA enforced
When you change the account type (to Entra ID/MFA), the user will receive an email invitation to configure the new account (more info). The current account will be disabled within 14 days or immediately, depending on the administrator’s choice.
When you enforce MFA for a user who has already enabled MFA themselves, that user will no longer be able to disable MFA in their profile. The user will not need to configure a new account, as with the ‘change account type’ option, only a notification email will be sent to inform the user of the change.