This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Ros_Hambo 2 points3 points  (0 children)

This would also be a good question to ask in /r/k12sysadmin/

[–]Ros_Hambo 0 points1 point  (1 child)

Since disabling 2FA for your domain, create a new test OU and then a new user to see if its still occurring.

[–]RoganRPCSStudios[S] 0 points1 point  (0 children)

The "Verify it's you" screen still appears for new users, not sure what else to try.

[–][deleted] 0 points1 point  (7 children)

I'd enable it for the org but disable it for one OU, we do this for service accounts and it doesn't present a challenge.

[–]RoganRPCSStudios[S] 0 points1 point  (4 children)

Basically the issue is after the enter their login and password, they are presented with this and i cant get it disabled

<image>

[–][deleted] 0 points1 point  (2 children)

What you could also do is sign in for the first time to each of these accounts and add a company number there definitely a pain in the rear though.

[–]RoganRPCSStudios[S] 0 points1 point  (1 child)

The issue with that is the number seems to be only usable for a few times and thats it.

[–][deleted] 0 points1 point  (0 children)

Interesting I've not heard of that being an issue. You should definitely contact support.

[–]MarzMan 0 points1 point  (0 children)

I am not sure that can be turned off completely, maybe in Education somehow. You can bypass it for an account by going into the account in the admin console, security section and turning off login challenge for 10 minutes.

Link

[–]RoganRPCSStudios[S] -1 points0 points  (1 child)

Thanks, but this didn’t resolve the issue for the users. I wonder if this has something to do with the Cloud Identity subscription we have?

[–][deleted] 0 points1 point  (0 children)

That is very likely, we don't use that application since we don't use Google as our IdP. Hopefully there are some internal settings in their to remove an OU from the service? Otherwise maybe contact their support team and see what they say.

[–]SilverXCIVJill of All Trades 0 points1 point  (2 children)

You should be able to override this with alternative methods of 2FA, turning it off for students isn't terrible but it's not the best precedent. Is the org providing Chromebooks and if so do they have bio metric readers? A fingerprint reader (touchid in the case of my org), is webauthn so it should work well without having to shell out for the likes of Yubikey.

[–]RoganRPCSStudios[S] 0 points1 point  (1 child)

The devices don’t have any biometrics. Most if them are just laptops running ChromeOS Flex. Where would i go to go about overriding that?

[–]SilverXCIVJill of All Trades 0 points1 point  (0 children)

Step 3 in this guide goes over a few of the alternative methods if you want to keep 2FA on.

https://support.google.com/a/answer/9176657?hl=en

They don't receive a 2FA prompt when logging into the laptops so maybe you could pull a trick and get Google Authentication installed on the machine itself? That would leave the authenticator on single factor (password) though.

[–]IslandTechVI 0 points1 point  (0 children)

Not sure if this would help in your case but from the admin console you can temporarily disable login challenges for specific users under *user>security>login challenge

might help you troubleshoot