Enabling multi-factor authentication - Amazon WorkDocs

Enabling multi-factor authentication

These steps explain how to enable multi-factor authentication for your AD Connector directory.


Multi-factor authentication is not available for Simple AD directories.

To enable multi-factor authentication

  1. Open the Amazon WorkDocs console at https://console.aws.amazon.com/zocalo/.

  2. In the Manage Your WorkDocs Sites page, select the desired site and choose Actions and Manage MFA.

  3. Enter the following values and choose Update MFA.

    Enable Multi-Factor Authentication

    Check to enable multi-factor authentication.

    RADIUS server IP address(es)

    The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma. For example,,


    The port that your RADIUS server uses to communicate. Your on-premises network must allow inbound traffic over the default RADIUS server port (1812) from the AD Connector servers.

    Shared secret code

    The shared secret code that was specified when your RADIUS endpoints were created.

    Confirm shared secret code

    Confirm the shared secret code for your RADIUS endpoints.


    Select the protocol that was specified when your RADIUS endpoints were created.

    Server timeout

    The amount of time, in seconds, to wait for the RADIUS server to respond. Enter a value between 1 and 60.

    Max retries

    The number of times that communication with the RADIUS server is attempted. Enter a value between 0 and 10.

    Multi-factor authentication is available when the RADIUS Status changes to Enabled. While you set up multi-factor authentication, your users can't log in to the Amazon WorkDocs site.