Issue:
When a user tries to access Elements Exposure Management related pages in the Elements Security Center portal, they get the errors:
This operation is forbidden - Please contact your EntraID administrator to perform this operation.
The organization you're trying to sign in requires two factor authentication. Go to Account settings to enable two factor authentication.
Resolution:
Currently there is an issue with Multi-factor authentication (MFA) settings for new users which have been created after taking SSO (Single-Sign On) federation into use. Elements Exposure Management pages in the Elements portal have by default the MFA requirement legacy setting set as enabled on the portal level, but SSO users have the MFA included with the SSO. This means that MFA is shown to be disabled for the user on the portal level and therefore user cannot access Elements Exposure Management pages which require MFA.
To resolve this issue, disable the legacy setting below which is a requirement for forced two-factor authentication for Exposure Management users and the relevant pages. The setting is located here:
- Management > Vulnerability Settings > Security Settings > Force two-factor authentication
After the setting has been disabled users should be able to access the Exposure management pages in the Element Security Center.
Note: this does not lower overall security of the system as the two-factor requirement is still in place, just not handled by the relevant Exposure Management setting highlighted above.
If the steps above do not resolve the issue, alternatively an another administrator can temporarily disable SSO federation for the domain so that the user can enable the portal level MFA. After the user has enabled portal level MFA, the SSO federation can be re-enabled for the domain. To temporarily disable SSO federation for the domain, use this setting:
- Management > Organization settings > Security administrators > SSO Federation.
The user can then log in to enable portal level MFA. After MFA has been enabled, SSO federation can be re-enabled and then the user should be able to access Elements Exposure Management related pages in the portal.
If possible, we recommend using the first option i.e. disabling the Force two-factor authentication setting for Elements Exposure Management.
Article no: 000046327