We just enforced MFA for all users last week as part of security hardening. Now several supply planning team members can’t access NetSuite at all - they get Access Denied errors after entering their password. These users have the Supply Planner role and were working fine before the MFA rollout. Some users enrolled in MFA successfully and can log in, but about 30% of the supply planning team is completely locked out. We checked their role assignments and everything looks correct. Is there a specific MFA enrollment step required for certain roles? The timing suggests it’s related to the MFA policy change but I can’t figure out why it only affects some users.
Check the MFA enrollment status for the locked-out users. Go to Setup > Users/Roles > Manage Users, find an affected user, and look at the Two-Factor Authentication section. They might be in ‘Pending Enrollment’ status. When MFA is enforced, users who haven’t completed enrollment can’t log in. They need to receive and complete the enrollment email first before they can access the system with MFA.
Also verify the MFA policy settings under Setup > Company > Enable Features > SuiteCloud tab. Check if you have ‘Require Two-Factor Authentication’ enabled and what the grace period is set to. If you enabled enforcement immediately without a grace period, users who hadn’t enrolled yet got locked out instantly. You might want to temporarily add a grace period to give users time to complete enrollment while still allowing them to work.
For future rollouts, implement a phased approach. Enable MFA with a 30-day grace period first, send communication to all users explaining the requirement and timeline, monitor enrollment status weekly and follow up with non-enrolled users before enforcement. You can run a saved search to identify users with MFA not enabled and their last login date. This helps catch issues before they become lockouts. Also document the enrollment process with screenshots for your help desk team.
We had the same issue during our MFA rollout. The problem is often that enrollment emails went to spam or users didn’t complete the setup before the enforcement date. You need to manually trigger re-enrollment for affected users. Go to the user record, uncheck ‘Two-Factor Authentication Enabled’, save, then re-enable it and click ‘Send Enrollment Email’. Make sure users check spam folders and complete enrollment within the timeframe specified in the email.
Checked the enrollment status and you’re right - all locked-out users show ‘Pending Enrollment’. I can see the enrollment emails were sent on the enforcement date but several users never received them or they expired. How do I handle the re-enrollment without disrupting their access further? Should I temporarily disable MFA requirement for these specific users or is there a better way?