Two-factor authentication options for Microsoft users in Sanity

5 repliesLast updated: Nov 29, 2025

Hi, I have a question about two-factor auth login. According to your documentation part: "Users log in to their Sanity.io accounts using external authentication providers (currently Google Accounts and GitHub) via an OAuth 2 flow, optionally with two-factor authentication, which we strongly recommend..." I'm wondering what I should tell our customer using Microsoft services? Should they just add two factor auth on their emails and it should be just fine or is there any two-factor setting for sanity teams?

AI Update

Great question! You're right to be thinking about two-factor authentication for your Microsoft-based customers. Let me break down the authentication options available in Sanity:

Standard Authentication (Google & GitHub)

By default, Sanity users authenticate via OAuth 2 with Google or GitHub. When using these providers, the two-factor authentication happens at the provider level. So if your customer adds 2FA to their Google or GitHub account, that protection automatically applies when logging into Sanity. This is what the documentation you quoted is referring to.

Microsoft/Azure Authentication via SAML SSO

For customers using Microsoft services (Azure AD/Entra ID), Sanity offers SAML SSO as an enterprise authentication option. This allows your customer to authenticate using their Microsoft corporate identity instead of Google or GitHub.

Key points about SAML SSO:

Available on Business and Enterprise plans (it's a paid feature)
Supports Azure Active Directory/Entra ID integration
Allows centralized authentication management through your customer's identity provider
Supports automatic role mapping based on Azure AD group membership
Importantly: Any MFA/2FA configured in Azure AD automatically applies to Sanity logins

There's a detailed guide for setting up SAML with Azure if your customer wants to go this route.

Recommendation for Your Customer

If your customer is on a Business or Enterprise plan and wants to use their Microsoft infrastructure, SAML SSO with Azure AD is the way to go. This gives them:

Single sign-on with their existing Microsoft credentials
Whatever MFA/2FA policies they've configured in Azure AD
Centralized user management
Better security compliance for enterprise environments

If they're on a lower-tier plan or want a simpler setup, they can stick with Google/GitHub authentication and just ensure those accounts have 2FA enabled at the provider level. The security is handled by Google/GitHub's 2FA implementation.

Either way, there's no separate "Sanity-level" 2FA setting to configure—the two-factor authentication is always managed by the identity provider (Google, GitHub, or Azure AD).

Show original thread

5 replies

Was this answer helpful?

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Related contributions

Auto-generate alt text for Media Library assets

FeaturedOfficial

Automatically generate accessible, multilingual alt text for images in your Sanity Media Library using Agent Actions and Sanity Functions

Bram Doppen

First Published Timestamp Function

FeaturedOfficial

Automatically track when content was first published with a timestamp that sets once and never overwrites, providing reliable publication history for analytics and editorial workflows.

Knut Melvær

Automatically tag blog posts

FeaturedOfficial

AI-powered automatic tagging for Sanity blog posts that analyzes content to generate 3 relevant tags, maintaining consistency by reusing existing tags from your content library.

Ken Jones Pizza and 1 other