> ## Documentation Index > Fetch the complete documentation index at: https://stytch.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Org configuration rules > To ensure that your Organization's authentication settings are valid, the following rules apply. If no Organization authentication parameters are passed in, `email_invites` defaults to `ALL_ALLOWED` allowing the Organization to add Members. If some authentication parameters are passed but `email_invites` is omitted, it defaults to `NOT_ALLOWED`. Additionally, the following rules apply: ### Allowed Auth Methods * If `allowed_auth_methods` is empty * then `auth_methods` cannot be set to RESTRICTED. * If `allowed_auth_methods` is not empty * and `auth_methods` is set to `RESTRICTED`, then all members looking to authenticate will be required to use one of these auth methods. * If `allowed_auth_methods` is updated * then the entire list will be overwritten by the new values. * then all currently active Members will remain active even if their auth methods no longer comply with `allowed_auth_methods`. However, the member will not be able to authenticate with the disallowed methods. * and `auth_methods` is set to `RESTRICTED`, then `auth_methods` cannot be set to an empty array. ### Allowed MFA Methods * If `allowed_mfa_methods` is empty * then `mfa_methods` cannot be set to RESTRICTED. * If `allowed_mfa_methods` is not empty * and `mfa_methods` is set to `RESTRICTED`, then all members looking to authenticate with MFA will be required to use one of these MFA methods. * If `allowed_mfa_methods` is updated * then the entire list will be overwritten by the new values. * then all currently active Members will remain active even if their MFA methods no longer comply with `allowed_mfa_methods`. However, the member will not be able to MFA authenticate with the disallowed methods. * and `mfa_methods` is set to RESTRICTED, then `mfa_methods` cannot be set to an empty array. ### Email Magic Links * If `email_allowed_domains` is empty * then `email_invites` cannot be set to RESTRICTED. * then `email_jit_provisioning` cannot be set to RESTRICTED. * If `email_allowed_domains` is not empty * and `email_invites` is set to `RESTRICTED`, then all new Members must have an email address that complies with `email_allowed_domains` in order to be invited by email. * and `email_invites` is set to `ALL_ALLOWED`, then any new Member can be invited to email. * and `email_invites` is set to `NOT_ALLOWED`, then email invites are disabled. * If `email_allowed_domains` is not empty * and `email_jit_provisioning` is set to `RESTRICTED`, then all new Members must have an email address that complies with `email_allowed_domains` in order to be provisioned via Email Magic Links. * and `email_jit_provisioning` is set to `ALL_ALLOWED`, then any new Member can be provisioned via Email Magic Links. * and `email_jit_provisioning` is set to `NOT_ALLOWED`, then JIT provisioning via Email Magic Links is disabled. * If `email_allowed_domains` is updated * then the entire list will be overwritten by the new value. * then all Members will remain active even if their email\_address no longer complies with `email_allowed_domains`. * and either `email_invites` or `email_jit_provisioning` is set to `RESTRICTED`, then `email_allowed_domains` cannot be set to an empty array. ### Single Sign On * If `sso_jit_provisioning_allowed_connections` is empty * then `sso_jit_provisioning` cannot be set to `RESTRICTED`. * If `sso_jit_provisioning_allowed_connections` is not empty * and `sso_jit_provisioning` is set to `RESTRICTED`, then all new Members must have an SSO login that complies with `sso_jit_provisioning_allowed_connections` in order to be provisioned via SSO. * and `sso_jit_provisioning` is set to `ALL_ALLOWED`, then all new Members will be automatically provisioned via any of the Organization's `sso_active_connections`. * and `sso_jit_provisioning` is set to `NOT_ALLOWED`, then JIT provisioning via SSO is disabled. * If `sso_jit_provisioning_allowed_connections` is updated * then the entire list will be overwritten by the new value. * then all currently active Members will remain active even if their `sso_registrations` no longer complies with `sso_jit_provisioning_allowed_connections`. * and `sso_jit_provisioning` is set to `RESTRICTED`, then `sso_jit_provisioning_allowed_connections` cannot be set to an empty array.