Enable MFA for Your Company

Procore MFA: Regional Availability for SMS Verification

Procore supports Authenticator apps everywhere. SMS Verfication is only available in these countries Show/Hide Details

SMS Verification is available in these countries.

  • Note: SMS Verification for Procore Pay (Payees) is limited to the United States.

    • US

    • Canada

    • Mexico

    • UK

    • Ireland

    • France

    • Germany

    • Spain

    • Italy

    • Australia

    • New Zealand

    • Singapore

    • Hong Kong

As your company's Procore Administrator, your first step is to enable MFA for your entire company and choose an enforcement deadline. This is the mandatory enrollment date for your end users. Once MFA is active in your environment, it is your responsibility to manage resets for users who lose device access. See Reset MFA for a User.

Best Practice: 30-Day Transition Window

Give users 30 days between your announcement and the enforcement deadline. This window lets them set up MFA on their own schedule instead of being forced to do it on a busy day. Share this guide to help them with their first-time setup and subsequent login.

Things to Consider

  • Required User Permissions: 'Admin' level permissions on both the Company Admin and Directory tools.

  • Verification Methods: Users must set up at least one two-factor method (Authenticator App or SMS).

  • Unique Verification Codes: Authenticator codes refresh every 30 seconds. SMS codes expire after 10 minutes.

    Important

    Keep your verification code private. Procore generates a unique code just for you. Never share it with anyone. Procore employees will never ask for it.

  • Limitations for SSO Users:

    • For users on domains targeted for Single Sign-On (SSO), MFA must be configured through your Identity Provider (IdP) (e.g., Azure AD, Okta, Google, etc.).

    • Procore's password reset features do not apply. See Who is responsible for resetting MFA?

Prerequisites

  • Review your Company Directory and mark any stale or terminated users as Inactive. This ensures that the MFA enrollment process is only required for active users and helps prevent unnecessary support overhead. To learn more, see Deactivate User Accounts in the Company Directory.

Steps

  1. Navigate to the Company level Admin tool.

  2. Under Company Settings, click Security Settings.

  3. Click the Multi-Factor Authentication (MFA) tab.

  4. Switch the Require MFA toggle to ON.

  5. Set an MFA Enforcement Deadline. After this date, all users must log in using MFA, according to the Administrator's time zone.

    Example

    If an Administrator in New York (EST) sets the deadline for Friday, enforcement begins for everyone—including international users—immediately after Midnight on Friday morning in New York.

  6. Click Save Changes.

    Tip

    Saving these settings doesn't force users to use MFA right away. Instead, enforcement starts on the deadline you choose. You can update this date anytime by saving a new configuration. Users can pre-enroll in MFA before the deadline. For details, see How can I set up MFA before the enforcement deadline?