Overview
Many customers have recently received an email from NetSuite stating that highly privileged roles (such as Administrators) are required to use Two-Factor Authentication (2FA) and may no longer authenticate via basic user credentials in APIs, RESTlets, or SOAP web services.
This notice is not specific to CloudExtend—NetSuite sends it when any integration in your account is still using user credentials instead of a compliant method.
NetSuite’s definition of “highly privileged roles” can be found here
The full message from NetSuite is included at the end of this article.
How CloudExtend Supports 2FA
CloudExtend apps already support NetSuite’s secure, compliant authentication methods:
Token-Based Authentication (TBA)
NetSuite Three-Step Authorization (3SA)
Single Sign-On (SSO)
Multi-Factor Authentication (MFA)
CloudExtend never requires or uses basic user credentials for API authentication with privileged roles.
Below is a summary of what each app supports and any actions your organization may need to take.
ExtendSync for Outlook NetSuite
ExtendSync Outlook users can login with highly privileged roles that require 2FA as long as they have properly configured the permissions for those roles. See this article for full details.
ExtendInsights for Excel NetSuite
ExtendInsights users can login with highly privileged roles that require 2FA as long as they have properly configured the permissions for those roles. See this article for full details.
ExtendSync for Google NetSuite
ExtendSync Google users can manually create login tokens (or have their Admins create them) as outlined here.
NetSuite’s Mandatory 2FA Email (Full Text)
You are receiving this notice because some of your RESTlets or SOAP web services integrations still use user credentials as an authentication method for the Administrator or other highly privileged roles.
This approach is prohibited, because authenticating with user credentials is not compliant with the Mandatory Two-Factor Authentication (2FA) policy for Administrators and other highly privileged roles. To comply with this policy, you must use Token-based Authentication (SuiteAnswers ID 41827), or OAuth 2.0 (SuiteAnswers ID 91092) for your integrations.
Mandatory 2FA Policy Summary
Administrators and other highly privileged roles must authenticate in a way that is compliant with the Mandatory 2FA policy for UI and non-UI access to NetSuite. Using user credentials to access NetSuite through the Application Programming Interface (API) for these roles is prohibited as the authentication method is not compliant with the Mandatory 2FA policy. NetSuite offers other authentication methods that are compliant with the policy and strengthen security of your account: Token-based Authentication and OAuth 2.0.
For more information about Mandatory 2FA, see Permissions Requiring Two-Factor Authentication (2FA) (SuiteAnswers ID 70234), and Mandatory Two-Factor Authentication (2FA) for NetSuite Access (Suite Answers ID 76766).
Required Actions
To be compliant with the Mandatory 2FA policy, you must use either Token-based Authentication or OAuth 2.0 as the authentication method for your integrations when authenticating as an Administrator or other highly privileged roles.
For Token-based Authentication, see Token-based Authentication (SuiteAnswers ID 41827)
For OAuth 2.0, see OAuth 2.0 (SuiteAnswers ID 91092)
You should update your RESTlets and web services integrations as soon as possible to use one of these authentication methods.
If a partner or third-party supplied your integration and you are unable to change the authentication method, contact the partner or third party and request that they make the required changes.
If you have additional questions, please contact NetSuite Customer Support.
Thank you,
The Oracle NetSuite Team
Key Takeaways
CloudExtend is already aligned with NetSuite’s security requirements
Your org must ensure all integrations (CloudExtend and non-CloudExtend) use TBA or OAuth 2.0
CloudExtend supports MFA + SSO through NetSuite’s 3-Step Authorization
The NetSuite warning email does not necessarily mean CloudExtend is misconfigured
Need Help?
If you’re unsure whether CloudExtend is triggering this warning or need help confirming your configuration:
💬 Chat with us (bottom-right of this page)
📧 Email cloudextend-support@celigo.com
Include:
The role(s) affected
Any error messages
Whether SSO/TBA is enabled
A copy of the NetSuite notification