Advisory: Sophos Central – MFA option disabled after changes were made to their login and sync d via the Central AD-Sync utility.

Sophos is investigating an issue between Central Admin AD sync utility and MFA enabled Central Administrators (eg. Read only, Helpdesk, Admin, or Super Admin).

Update: 8/19/19 – The original issue had been resolved since June 15th. Since that time, there have only been a handful of reports of this happening for one or more logins.

This KBA has been updated to remove the previous information that is no longer valid (eg. what we knew to trigger this) as well as the what to do has been changed (eg. with this scenario, just adding them back into the MFA list resolves the issue. they no longer have to reset up the MFA.)

The following login configurations are NOT Affected or part of this Advisory/article:

  • Federated/Azure logins.
  • Customers who enable MFA for ‘all admins’

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

  • Affected Central logins that had MFA previously enabled, will be able to login with just their Central login password.
  • They will no longer show up in the ‘Select admins who need MFA’ (see screenshot below)

Updated Status: August 19th

Development are still actively investigating what can trigger this from happening. This KBA has been updated to remove previously known triggers and workaround, as these have changed since the first fix for this was introduced June 15th.

Please continue to follow the steps indicated in the “What to Do” section below:

If you experience this behavior, please let us know by raising a Technical Support case with us and provide as much of the following information that can be remembered.

  1. Provide details how the user is being managed in Central, IE: ad sync, cloud managed.
  2. Provide the user/email for the user who had their MFA disabled.
  3. Provide any changes that were done to the user prior to them experiencing the disablement of MFA.

Affected customers should follow the ‘Workaround‘ section below.

  • The only update needed to resolve this if experienced, is to re-add the users login back to the list of MFA users (select the ‘add admins’ url)

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.


  • No Related Posts

Leave a Reply