Organization Security Controls

Enforce MFA, passkeys, session limits, and email-domain restrictions across your whole organization, and review a log of security events.

Available on the Max plan. Only the Organization Owner can change these policies.

Organization security controls let you enforce sign-in and membership rules for everyone in your organization from one place. You’ll find them on the Security tab of your organization settings. The organization owner is always exempt from these policies, so you can never lock yourself out.

Who Can Use These Controls

Security enforcement is a Max-plan feature. On lower plans the Security tab shows the message that “Organization security enforcement is available on the Max plan.”

Even on Max, only the Organization Owner can change these policies. Admins can open the Security tab and view settings, but they can’t make changes: the toggles are disabled and the save buttons are hidden, with a note that “Only the organization owner can change these policies.”

Open Security Settings

  1. Open Settings and switch to your organization’s (company) settings.
  2. Click the Security tab.

The tab holds four groups of controls plus the audit log: authentication requirements, session controls, domain-restricted membership, and single sign-on.

Require MFA or Passkeys

Two toggles set the authentication bar for every member:

  • Require multi-factor authentication: every member must sign in with a passkey or an authenticator app (TOTP).
  • Require passkeys: stricter than MFA. Every member must register a passkey; an authenticator app alone is not enough.

Turning a policy on affects every member, so SnapGlyph asks you to confirm first. The confirmation tells you how many members don’t yet meet the requirement; those members are prompted to set it up the next time they open the app before they can continue. Turning a policy off applies immediately.

Session Controls

Under Session controls you can automatically sign members out after a maximum session length or a period of inactivity:

  • Maximum session length (minutes): how long a session can last before the member must sign in again.
  • Idle timeout (minutes): how long a session can sit inactive before it ends.

Enter a value in minutes for each and click Save session controls. Entering 0 disables that control.

Domain-Restricted Membership

Under Domain-restricted membership, turn on Restrict who can join by email domain so that only people with an email address from an allowed domain can join the organization. The owner is always exempt.

  1. Toggle Restrict who can join by email domain on.
  2. Type a bare domain (like example.com) and click Add. Add as many as you need.
  3. Remove a domain by clicking the X on its chip.
  4. Click Save domains.

Add at least one domain for the restriction to take effect.

Audit Log

Click View audit log (top of the Security tab) to open a log of security-relevant events for your organization. You can filter by Action, and by a From and To date, and page through results.

Each row shows the Time, Action, Actor (the member who triggered it, or “System”), and Status. Recorded events include enabling or disabling required MFA and required passkeys, session-policy changes, member sessions being revoked, membership-domain policy changes and blocked joins, SSO enforcement changes, and member invites, removals, and role changes.

Next Steps