Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / MFA Enforcement Check

Documentation

MFA Enforcement Check

Project-Agent / library/workflows/mfa-enforcement-check/README.md

Project-Agent repo-root library/workflows/mfa-enforcement-check/README.md

Scans all active Okta users for missing or incomplete MFA enrollment, creates Jira tickets for non-compliant users, and sends a summary alert to Slack.

Maturity: L3+ (Enforced and up)  ยท  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Before: ~2 hours per week manually auditing Okta user MFA status and following up on non-compliant accounts.

After: Automated weekly compliance scan. IT and security teams receive Jira tickets and Slack summaries for immediate action.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Okta | users:read, users:read_factors | LOW | | Jira | issues:create | MEDIUM | | Slack | chat:write | LOW |

Overall Risk: MEDIUM -- Creates Jira tickets for non-compliant users. All Okta operations are read-only.

How It Works

  1. Query Okta for all active users.
  2. For each user, check enrolled MFA factors.
  3. Identify users with no MFA or only weak factors (e.g., SMS-only).
  4. Create a Jira ticket per non-compliant user (or a single bulk ticket).
  5. Post a Slack summary with counts and a link to the Jira filter.

ARX Governance

  • Risk Classification:
  • Okta:users:read -- LOW -- read-only user enumeration
  • Okta:users:read_factors -- LOW -- read-only MFA factor check
  • Jira:issues:create -- MEDIUM -- creates compliance tracking tickets
  • Slack:chat:write -- LOW -- informational summary notifications
  • HITL Gate: Disabled -- no destructive operations. Jira ticket creation is auto-approved as it creates compliance work items only. No changes are made to Okta user accounts.
  • Policy Rules:
  • PERMITTED: Reading user lists and MFA factor enrollment from Okta
  • PERMITTED (auto-approved): Creating Jira compliance tickets for non-compliant users
  • PERMITTED: Posting Slack summary with compliance statistics
  • DENIED: Any write operations to Okta (user modification, factor enrollment, account suspension)
  • Audit Trail: Every Okta user scanned, MFA compliance status per user, Jira tickets created (with ticket IDs), and Slack notifications sent are logged. Non-compliant user counts are recorded per scan cycle.
  • Config: See arx.yaml for connector permissions, schedule, and allowed_factor_types policy.

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export OKTA_DOMAIN="your-org.okta.com" export OKTA_API_TOKEN="your-okta-api-token" export JIRA_URL="https://your-org.atlassian.net" export JIRA_API_TOKEN="your-jira-api-token" export JIRA_PROJECT_KEY="COMPLY" export SLACK_BOT_TOKEN="xoxb-your-slack-token" export SLACK_CHANNEL="#security-compliance" ``

Run

```bash

One-time execution

arx run workflow.py

Register on schedule (every Monday at 08:00 UTC)

arx register --config arx.yaml ```

Customization

  • Adjust allowed_factor_types in arx.yaml to match your MFA policy
  • Configure bulk vs. per-user Jira ticket creation mode
  • Filter by Okta group to scope the compliance check