Google Workspace organization MFA enforcement disabled
Description
AlphaSOC detected an audit change to organization-level multi-factor
authentication (MFA) settings via ALLOW_STRONG_AUTHENTICATION or
ENFORCE_STRONG_AUTHENTICATION where the NEW_VALUE indicates that
organization-level MFA enforcement has been disabled or relaxed.
Impact
Disabling enforcement of MFA across the organization reduces protection against credential theft and automated login attempts. It increases the likelihood of account compromise, privilege escalation, and unauthorized access to tenant resources.
Severity
| Severity | Condition |
|---|---|
Medium | Google Workspace organization MFA enforcement disabled |
Investigation and Remediation
Review the audit event to identify who changed the setting and why. Validate whether the change was authorized and documented; if not, re-enable enforcement immediately and rotate credentials for accounts that may have been affected. Assess recent login patterns and suspicious authentications during the window when MFA was relaxed. Implement approval workflows and change controls for org-wide security settings and monitor for similar configuration changes.