Feature request: Enforce SSO for Owners and disable magic-link/password bypass in Prefect Cloud

[zzstoatzz]

This discussion was created from a Slack thread conversation.

Original Thread: https://prefect-community.slack.com/archives/C04DZJC94DC/p1761603291998779

---

Summary
Organizations using Prefect Cloud 3 would like the option to fully enforce SSO for all human users, including Account Owners, and to disable magic-link/password-based authentication as a bypass. Today, Owners have an explicit ability to “Bypass SSO,” which means they can still authenticate with email (including magic links) even when SSO is configured. Some security-conscious customers consider this a risk and would prefer a hard SSO-only posture.

Current behavior (docs)

• Roles: Owners can “Bypass SSO”; Admins and Members cannot. Docs: https://docs.prefect.io/v3/how-to-guides/cloud/manage-users/manage-roles
• SSO configuration: Once SSO is set up for the account, non-admins must use SSO. Docs: https://docs.prefect.io/v3/how-to-guides/cloud/manage-users/configure-sso
• Result: Owners can still sign in without SSO (e.g., via email magic link), which some teams want to disable entirely.

User request

• Provide an account-level option to:
  1. Enforce SSO for Owners (remove Owner bypass).
  2. Disable all non-SSO interactive login methods (email/password, magic links) for the account.
• The user notes they would prefer to contact Prefect Support for break-glass recovery rather than allow any SSO bypass.

Rationale

• Aligns with strict security postures where all human access must flow through the organization’s IdP (SAML/OIDC) controls and conditional access policies.
• Reduces risk of unauthorized access if an email inbox is compromised or if magic-link delivery is abused.
• Many enterprises have compliance requirements that mandate SSO-only authentication.

Potential design options

• Account-level toggle: “Enforce SSO for Owners” (Owners must authenticate with SSO; bypass disabled).
• Account-level toggle: “Disable email/password and magic-link logins.”
• Break-glass option managed by Prefect Support (or a codified mechanism generating time-bound recovery tokens with strong audit trails), only usable by verified account contacts.
• Enhanced audit logging when any break-glass path is used.

Open questions for the team

• Impact on CLI/API key issuance: Should Owner-created API keys remain unaffected? Should there be guardrails tied to SSO session state?
• Should there be an exemption for emergency recovery (time-limited, highly audited), or is a pure SSO-only mode acceptable where only Support can assist with recovery?
• How to handle existing Owner sessions/tokens when toggling enforcement?

Why now

• This request comes from a customer who explicitly stated they consider SSO bypass for Owners and magic-link logins to be dangerous in their environment and would prefer to rely on Prefect Support for recovery.

Requested outcome

• Add a Cloud setting (Enterprise-eligible) to enforce SSO for Owners and optionally disable magic-link/password logins account-wide, with clear documentation and auditability.

---

This discussion was automatically created by the Marvin bot to preserve valuable community insights.