Require non-2FA first emu admins to enter a recovery code during login [GA] (#53570)

Co-authored-by: jc-clark <jc-clark@github.com>
2025-12-25 02:17:36 -05:00 · 2025-01-18 08:49:03 +10:00
parent 1e90c4a467
commit 1c2ccb673e
3 changed files with 12 additions and 4 deletions
--- a/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md
+++ b/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md
@@ -37,12 +37,14 @@ After we create your enterprise, you will receive an email inviting you to choos
 Using an **incognito or private browsing window**:

 1. Set the user's password.
-1. Save the user's recovery codes.
-1. Enable two-factor authentication. See [AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication).
+1. Enable two-factor authentication (2FA), and save the enterprise recovery codes. See [AUTOTITLE](/admin/managing-iam/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes#downloading-codes-for-an-enterprise-with-enterprise-managed-users).
+
+   > [!WARNING]
+   > All subsequent login attempts for the setup user account will require a successful 2FA challenge response or the use of an enterprise recovery code to complete authentication. To avoid being locked out of your account, save your enterprise recovery codes.

 {% data reusables.enterprise-accounts.emu-password-reset-session %}

-We strongly recommend **storing the credentials for the setup user** in your company's password management tool. Someone will need to sign in as this user to update authentication settings, migrate to another identity provider or authentication method, or use your enterprise's recovery codes.
+{% data reusables.enterprise-accounts.emu-recommend-password-manager %}

 ## Create a {% data variables.product.pat_generic %}