self_enrolment_period property impact on "Enable MFA" field on sys_user recordIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } A few customers have noticed that, after the Yokohama Upgrade, when the System Property "glide.authenticate.multifactor.self_enrolment_period" is not set to 0 (zero), the 'Enable Multifactor Authentication' field in the user's record is set to true after the user registers for MFA. However, when this property is set to 0, the user record's field doesn't change, even though the user is forced for MFA. Is this an expected behaviour? If so, why? Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Yokohama onwards. Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Scenario 1: self_enrolment_period > 0 (grace period enabled) Users go through a self‑enrollment experience during the window.When a user opts in / completes enrollment, the platform updates their profile to reflect user‑based MFA enablement—so you often see the user record field turn true. (The important thing is: the user now has factors registered; the checkbox is a legacy indicator tied to user‑based criteria.) Scenario 2: self_enrolment_period = 0 (strict enforcement) There's no grace period; MFA is enforced at login by policy.Because enforcement is happening at the global policy layer, the platform does not need to (and does not) flip the legacy "Enable Multifactor Authentication" field on the user record—even though the user is prompted and must register/validate an MFA factor to proceed. This is consistent with Yokohama's global, criteria‑based enforcement model for non‑SSO logins. In Yokohama, policy enforcement ≠ user‑based toggle. The user record checkbox is no longer the source of truth for whether MFA is enforced; it's only used if you explicitly configure user‑based MFA. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This behavior is expected in Yokohama. When the self‑enrollment period is set to 0, MFA is enforced by the platform's global policy for non‑SSO logins. That enforcement no longer uses the legacy 'Enable Multifactor Authentication' checkbox on the user record, so the field doesn't change even though MFA is required. When a non‑zero self‑enrollment period is used, users who complete enrollment may have that legacy field set as part of user‑based criteria. For monitoring, please use MFA dashboards/metrics or check each user's registered factors rather than the checkbox.