Skip to content

MFA Compliance Audit

Example prompt: "Every other Monday, check our main SaaS tools for anyone whose account does not have MFA turned on, send them a friendly nudge with the steps to enable it, and give me a list of anyone who has not done it a week after the reminder."

The Problem

Multi-factor authentication is the single biggest reduction in account compromise risk, and most companies have a policy that says everyone must have it on, and most companies do not actually check. The audit runs once a year when the auditor asks for the report, the security lead pulls the admin export from each tool, and discovers that three of the senior people have turned MFA off again after the device swap. The fix is small per person — five minutes with the authenticator app — but the security lead does not want to send the same DM 40 times every fortnight, so it does not happen.

How GloriaMundo Solves It

We build a workflow that runs every other Monday morning. An integration step pulls the user list and MFA-enrolment status from each tracked SaaS tool — Google Workspace, Slack admin, the CRM, the design tools. A code step joins the lists against the staff directory and flags every active account whose MFA flag is off. A conditional step filters out the known exceptions — service accounts with an SSO note in the register, contractors with an explicit waiver pending hardware-token issue. For each remaining person, an LLM step drafts a friendly DM that names the tool, links to the enrolment steps for that tool, and asks them to confirm when it is done; an integration step sends the DM through Slack. Seven days later the workflow checks again, and anyone whose MFA flag is still off goes onto a short list for the security lead with the tool, the date of the first nudge, and the date of the follow-up. Glass Box preview shows the flagged accounts and the drafted nudges before anything is sent.

Example Workflow Steps

  1. Trigger (scheduled): Every other Monday at 09:00, with a follow-up sweep the following Monday at 09:00.
  2. Step 1 (integration): For each tracked SaaS tool, pull the user list and MFA-enrolment flag from the admin API.
  3. Step 2 (integration): Read the staff directory and the MFA exception register from Google Sheets.
  4. Step 3 (code): Join the user lists against the directory and the exception register; flag every active human account whose MFA flag is off and is not on the register.
  5. Step 4 (conditional): On the first-pass run, queue each flagged account for a first nudge. On the follow-up run, queue accounts that were nudged on the previous run and still have MFA off for the security-lead list.
  6. Step 5 (LLM): For each first-nudge account, draft a short nudge naming the tool, linking to the enrolment steps, and asking the person to confirm when it is done.
  7. Step 6 (conditional): For each drafted nudge, check the person's register entry — if their preference is email (typical for partners and contractors who are not on the Slack workspace), route to Gmail; otherwise route to Slack.
  8. Step 7 (integration): Send each Slack-routed nudge as a Slack DM, and each email-routed nudge through Gmail with the same body and a clear subject line; log the nudge date back to the audit sheet.
  9. Step 8 (integration): On the follow-up run, post the still-non-compliant list as a single DM to the security lead with the person, the tool, the nudge date, and the follow-up date.

Integrations Used

  • Slack — admin API for the workspace, plus the DM channel for nudges and the security-lead summary
  • Google Sheets — the audit log of who was flagged when, the exception register, and the running record of who has cleared
  • Gmail — the email path for nudges to people whose register entry says email-preferred (e.g. partners and contractors not on the Slack workspace)

Who This Is For

Security leads and IT operations leads at companies under a few hundred staff where there is an MFA policy on paper but no central identity provider enforcing it at the SaaS layer, and the security lead is the one person carrying the audit.

Time & Cost Saved

A manual MFA audit across half a dozen tools is half a day of pulling exports and another half day of sending the DMs and chasing replies, repeated only when an auditor asks. This workflow does it every fortnight without the friction, and the saving is not in the security lead's time — it is in the dramatically smaller window of accounts that are non-compliant at any moment, which is the actual security outcome the policy was written for.