How to Set Up Domain-Based Restriction in Drupal

Overview

The Domain Based Restriction feature allows administrators to enforce Two-Factor Authentication (2FA) for users belonging to specific email domains. This helps organizations strengthen security by ensuring that users from certain domains must complete an additional authentication step while logging in. For example, if users log in using email addresses such as user@company.com or admin@partner.org, you can configure the system so that these users are required to complete 2FA verification during login. The Drupal Two Factor Authentication - 2FA / Passwordless Login is available for Drupal 8, Drupal 9, Drupal 10, and Drupal 11.

Installation Steps

• Using Composer
• Using Drush
• Manual Installation

• Download the module:

  Composer require 'drupal/miniorange_2fa'

• Navigate to Extend menu on your Drupal admin console and search for miniOrange Second Factor Authentication using the search box.
• Enable the module by checking the checkbox and click on install button.
• Configure the module at

  {BaseURL}/admin/config/people/miniorange_2fa/customer_setup

• Install the module:

  drush en miniorange_2fa

• Clear the cache:

   drush cr

• Configure the module at

  {BaseURL}/admin/config/people/miniorange_2fa/customer_setup

• Navigate to Extend menu on your Drupal admin console and click on Install new module button.
• Install the miniOrange Second Factor Authentication module either by downloading the zip or from the URL of the package (tar/zip).
• Click on Enable newly added modules.
• Enable this module by checking the checkbox and click on install button.
• Configure the module at

  {BaseURL}/admin/config/people/miniorange_2fa/customer_setup

Post-Installation Prerequisites:

• Before configuring Domain Based 2FA, ensure the following:
  • Users have valid email addresses associated with their accounts.
  • You have Administrator access to configure 2FA policies.

Configuration Steps

Open 2FA Policy Settings

• Log in to your Drupal site as an Administrator.
• Navigate to the 2FA Policy for End Users tab.
• Scroll down to the 2FA Restrictions section.
• From the left menu, select Domain Based Restriction.

Enable Domain Based 2FA

• Enable the Enable Domain Based 2FA toggle.
• Once enabled, the system will start checking user email domains during login to determine whether 2FA should be triggered.
• In the Domain Input Field, enter the email domains for which you want to enforce Two-Factor Authentication. (Multiple domains must be separated using a semicolon.)
• Example: abc.com;xyz.com;company.org
• In this case: Users with email addresses ending in abc.com, xyz.com, or company.org will be required to complete 2FA verification when they log in.

Configure Interaction with Role Based 2FA

If Role Based 2FA is also enabled in your system, you can define how Domain Based 2FA and Role Based 2FA should work together.

You can choose one of the following options:

Option 1: Invoke 2FA if user belongs to Role as well as Domain

• 2FA will only be triggered when both conditions are met:
• The user belongs to the configured role.
• The user's email belongs to the specified domain.

Option 1: Invoke 2FA if user belongs to either Role or Domain

• 2FA will be triggered if any one condition is satisfied:
• The user belongs to the configured role
• OR the user's email domain matches the configured domain list.

Save Configuration

• After completing the configuration, click the Save Settings button.
• A confirmation message will appear at the top of the page indicating the settings have been saved successfully.

You have successfully configured Domain Based Restriction.

User Experience:

• Open a new browser/private window and navigate to your Drupal site login or registration page.
• Enter your email address and other required credentials.
• The system validates the email domain against the list of allowed domains configured by the administrator.
• If the email domain matches the allowed domain list, the user will be required to set up 2FA if it has not been configured yet. If 2FA is already configured, the user must authenticate using the configured 2FA method.
• If the email domain does not match the configured domains, 2FA will not be invoked for those users, as 2FA is mandatory only for the specified domains.