--- title: Administrator Security description: Use the administrator security endpoints to read and update environment administrator sign-on settings. By default, MFA is enforced for administrators. You can use the PUT operation to: component: pingone-api page_id: pingone-api:platform:administrator-security canonical_url: https://developer.pingidentity.com/pingone-api/platform/administrator-security.html section_ids: assigning-admin-roles-and-permissions-to-this-service: Assigning admin roles and permissions to this service administrator-security-data-model: Administrator security data model response-codes: Response codes --- # Administrator Security Use the administrator security endpoints to read and update environment administrator sign-on settings. By default, MFA is enforced for administrators. You can use the PUT operation to: * Use an external identity provider or a hybrid configuration by making a request to `PUT {{apiPath}}/v1/environments/{{envID}}/adminConfig` and setting the `authenticationMethod` property. * Require MFA for all admin sign-ons. In this case, use PingOne as the value of `authenticationMethod`, set the `mfaStatus` value to `ENFORCE`, and the `allowedMethods` to the MFA methods you want to enable. Refer to [Configuring Administrator Security](https://docs.pingidentity.com/pingone/settings/p1_configure_administrator_security.html) in the PingOne administrator documentation for more information. | | | | - | ------------------------------------------------------- | | | Misconfiguring an external IdP can result in a lockout. | ## Assigning admin roles and permissions to this service Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to [PingOne Permissions by Service](reference/roles-and-permissions-in-pingone/permissions-by-service.html) for the service-specific permissions. You can also choose to assign admin roles based on particular service resources. Refer to [PingOne Permissions by Resource](reference/roles-and-permissions-in-pingone/permissions-by-resource.html) when assigning admin roles per service resources. Admin assignments to roles are set by: * [Automatic assignment for some roles](roles/predefined-roles.html#automatic-role-assignment). * [Group Role Assignments](group-role-assignments/group-role-assignments.html). * [User Role Assignments](users/user-role-assignments.html). Refer to [Roles Management](roles.html) for more information. ## Administrator security data model | Property | Type | Required? | Mutable? | Description | | ---------------------- | ------- | --------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `allowedMethods` | Object | Optional | Mutable | Indicates the methods to enable or disable for admin sign-on. Required properties are `TOTP` (temporary one-time password), `FIDO2`, and `EMAIL`. | | `allowedMethods.EMAIL` | String | Required | Mutable | Indicates whether to enable email for sign-on. Must be set to either `{\"enabled\":true}` or `{\"enabled\":false}`. | | `allowedMethods.FIDO2` | String | Required | Mutable | Indicates whether to enable FIDO2 for sign-on. Must be set to either `{\"enabled\":true}` or `{\"enabled\":false}`. | | `allowedMethods.TOTP` | String | Required | Mutable | Indicates whether to enable TOTP for sign-on. Must be set to either `{\"enabled\":true}` or `{\"enabled\":false}`. | | `authenticationMethod` | String | Required | Mutable | Indicates whether to use PingOne MFA, an external IdP, or a combination of both for admin sign-on. Possible values are `PINGONE`, `EXTERNAL`, or `HYBRID`. The default is `PINGONE`. | | `createdAt` | Date | N/A | Read-only | The timestamp the resource was created. | | `environment.id` | UUID | N/A | Read-only | The ID of the environment. | | `hasFido2Capabilities` | Boolean | N/A | Read-only | Indicates whether the environment supports FIDO2 passkeys for MFA. | | `isPingIDInBOM` | Boolean | N/A | Read-only | Indicates whether the environment supports PingID for MFA. | | `mfaStatus` | String | Required | Immutable | This property must be set to `ENFORCE` as MFA is required for administrator sign-ons. This property applies only to the specified environment. | | `provider.id` | UUID | Optional | Mutable | The UUID of the external IdP, if applicable. | | `recovery` | Boolean | Required | Mutable | Indicates whether to allow account recovery within the admin policy. | | `updatedAt` | Date | N/A | Read-only | The timestamp the resource was last updated. | ### Response codes | Code | Message | | ---- | --------------------------------------------------------------------- | | 200 | Successful operation. | | 201 | Successfully created. | | 400 | The request could not be completed. | | 401 | You do not have access to this resource. | | 403 | You do not have permissions or are not licensed to make this request. | | 404 | The requested resource was not found. |