> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure auth methods

> Multi-tenant auth allows granular configuration of which authentication methods can be used by Members.

You can update these settings on the [Stytch Dashboard](https://stytch.com/dashboard/organizations), or by using the [Update Organization](/api-reference/b2b/api/organizations/update-organization) endpoint.

<CodeGroup>
  ```bash cURL icon="https://d3gk2c5xim1je2.cloudfront.net/devicon/bash.svg" theme={null}
  curl --request PUT \
    --url https://api.stytch.com/v1/b2b/organizations/{organization_id} \
    --header 'Authorization: Basic <encoded-value>' \
    --header 'Content-Type: application/json' \
    --data '{
      "auth_methods": "RESTRICTED",
      "allowed_auth_methods": ["google_oauth"],
      "mfa_policy": "REQUIRED_FOR_ALL",
    }'
  ```

  ```python Python icon="python" theme={null}
  client.organizations.update(
    organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    auth_methods="RESTRICTED",
    allowed_auth_methods=["google_oauth"],
    mfa_policy="REQUIRED_FOR_ALL",
  )
  ```

  ```javascript Javascript icon="js" theme={null}
  client.organizations.update({
    organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    auth_methods: "RESTRICTED",
    allowed_auth_methods: ["google_oauth"],
    mfa_policy: "REQUIRED_FOR_ALL",
  })
  ```
</CodeGroup>

## Setting allowed authentication methods

Allowed authentication methods are controlled by the [`auth_methods`](/api-reference/b2b/api/organizations/update-organization#body-auth-methods) setting. The accepted values are:

* `ALL_ALLOWED` – the default setting which allows all authentication methods allowed by your application to be used
* `RESTRICTED` – only methods that comply with [`allowed_auth_methods`](/api-reference/b2b/api/organizations/update-organization#body-allowed-auth-methods) can be used for authentication.

If `auth_methods` is `RESTRICTED`, `allowed_auth_methods` must be set to an array of allowed authentication methods.  The valid values are:

* `sso`
* `magic_link`
* `email_otp`
* `password`
* `google_oauth`
* `microsoft_oauth`
* `slack_oauth`
* `github_oauth`
* `hubspot_oauth`

## Setting allowed MFA methods

Allowed MFA methods are controlled by the [`mfa_methods`](/api-reference/b2b/api/organizations/update-organization#body-mfa-methods) setting. The accepted values are:

* `ALL_ALLOWED` – the default setting which allows all MFA methods allowed by your application to be used
* `RESTRICTED` – only methods that comply with [`allowed_mfa_methods`](/api-reference/b2b/api/organizations/update-organization#body-allowed-mfa-methods) can be used for MFA.

If `mfa_methods` is `RESTRICTED`, `allowed_mfa_methods` must be set to an array of allowed MFA methods.  The valid values are:

* `sms_otp`
* `totp`

## Requiring MFA

Allowed MFA methods are controlled by the [`mfa_policy`](/api-reference/b2b/api/organizations/update-organization#body-mfa-policy) setting. The accepted values are:

* `REQUIRED_FOR_ALL` – all Members of the Organization will be required to complete an MFA flow in order to log in.
* `OPTIONAL` – MFA is optional, but individual Members can still enroll in MFA, which will require them to complete an MFA flow to log in going forward.

## Breakglass Members

Breakglass Members serve as protection against invalid provisioning settings. A breakglass Member has permissions to authenticate into an Organization by bypassing the Organization's settings. Typically, this is used for emergency purposes to gain access outside of normal authentication procedures.