## Update your Zero Trust organization

**put** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations`

Updates the configuration for your Zero Trust organization.

### Path Parameters

- `account_id: optional string`

  The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

- `zone_id: optional string`

  The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

### Body Parameters

- `allow_authenticate_via_warp: optional boolean`

  When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

- `auth_domain: optional string`

  The unique subdomain assigned to your Zero Trust organization.

- `auto_redirect_to_identity: optional boolean`

  When set to `true`, users skip the identity provider selection step during login.

- `custom_pages: optional object { forbidden, identity_denied }`

  - `forbidden: optional string`

    The uid of the custom page to use when a user is denied access after failing a non-identity rule.

  - `identity_denied: optional string`

    The uid of the custom page to use when a user is denied access.

- `deny_unmatched_requests: optional boolean`

  Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array.

- `deny_unmatched_requests_exempted_zone_names: optional array of string`

  Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

- `is_ui_read_only: optional boolean`

  Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

- `login_design: optional LoginDesign`

  - `background_color: optional string`

    The background color on your login page.

  - `footer_text: optional string`

    The text at the bottom of your login page.

  - `header_text: optional string`

    The text at the top of your login page.

  - `logo_path: optional string`

    The URL of the logo on your login page.

  - `text_color: optional string`

    The text color on your login page.

- `mfa_config: optional object { allowed_authenticators, session_duration }`

  Configures multi-factor authentication (MFA) settings for an organization.

  - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`

    Lists the MFA methods that users can authenticate with.

    - `"totp"`

    - `"biometrics"`

    - `"security_key"`

  - `session_duration: optional string`

    Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.

- `mfa_required_for_all_apps: optional boolean`

  Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

- `name: optional string`

  The name of your Zero Trust organization.

- `session_duration: optional string`

  The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.

- `ui_read_only_toggle_reason: optional string`

  A description of the reason why the UI read only field is being toggled.

- `user_seat_expiration_inactive_time: optional string`

  The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count.  Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.

- `warp_auth_session_duration: optional string`

  The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h.

### Returns

- `errors: array of object { code, message, documentation_url, source }`

  - `code: number`

  - `message: string`

  - `documentation_url: optional string`

  - `source: optional object { pointer }`

    - `pointer: optional string`

- `messages: array of object { code, message, documentation_url, source }`

  - `code: number`

  - `message: string`

  - `documentation_url: optional string`

  - `source: optional object { pointer }`

    - `pointer: optional string`

- `success: true`

  Whether the API call was successful.

  - `true`

- `result: optional Organization`

  - `allow_authenticate_via_warp: optional boolean`

    When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

  - `auth_domain: optional string`

    The unique subdomain assigned to your Zero Trust organization.

  - `auto_redirect_to_identity: optional boolean`

    When set to `true`, users skip the identity provider selection step during login.

  - `custom_pages: optional object { forbidden, identity_denied }`

    - `forbidden: optional string`

      The uid of the custom page to use when a user is denied access after failing a non-identity rule.

    - `identity_denied: optional string`

      The uid of the custom page to use when a user is denied access.

  - `deny_unmatched_requests: optional boolean`

    Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array.

  - `deny_unmatched_requests_exempted_zone_names: optional array of string`

    Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

  - `is_ui_read_only: optional boolean`

    Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

  - `login_design: optional LoginDesign`

    - `background_color: optional string`

      The background color on your login page.

    - `footer_text: optional string`

      The text at the bottom of your login page.

    - `header_text: optional string`

      The text at the top of your login page.

    - `logo_path: optional string`

      The URL of the logo on your login page.

    - `text_color: optional string`

      The text color on your login page.

  - `mfa_config: optional object { allowed_authenticators, session_duration }`

    Configures multi-factor authentication (MFA) settings for an organization.

    - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`

      Lists the MFA methods that users can authenticate with.

      - `"totp"`

      - `"biometrics"`

      - `"security_key"`

    - `session_duration: optional string`

      Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.

  - `mfa_required_for_all_apps: optional boolean`

    Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

  - `name: optional string`

    The name of your Zero Trust organization.

  - `session_duration: optional string`

    The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.

  - `ui_read_only_toggle_reason: optional string`

    A description of the reason why the UI read only field is being toggled.

  - `user_seat_expiration_inactive_time: optional string`

    The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count.  Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.

  - `warp_auth_session_duration: optional string`

    The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h.

### Example

```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/organizations \
    -X PUT \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    -d '{
          "auth_domain": "test.cloudflareaccess.com",
          "deny_unmatched_requests_exempted_zone_names": [
            "example.com"
          ],
          "name": "Widget Corps Internal Applications",
          "session_duration": "24h",
          "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI",
          "user_seat_expiration_inactive_time": "730h",
          "warp_auth_session_duration": "24h"
        }'
```

#### Response

```json
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "allow_authenticate_via_warp": true,
    "auth_domain": "test.cloudflareaccess.com",
    "auto_redirect_to_identity": true,
    "created_at": "2014-01-01T05:20:00.12345Z",
    "custom_pages": {
      "forbidden": "699d98642c564d2e855e9661899b7252",
      "identity_denied": "699d98642c564d2e855e9661899b7252"
    },
    "deny_unmatched_requests": true,
    "deny_unmatched_requests_exempted_zone_names": [
      "example.com"
    ],
    "is_ui_read_only": true,
    "login_design": {
      "background_color": "#c5ed1b",
      "footer_text": "This is an example description.",
      "header_text": "This is an example description.",
      "logo_path": "https://example.com/logo.png",
      "text_color": "#c5ed1b"
    },
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "session_duration": "24h"
    },
    "mfa_required_for_all_apps": false,
    "name": "Widget Corps Internal Applications",
    "session_duration": "24h",
    "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "user_seat_expiration_inactive_time": "730h",
    "warp_auth_session_duration": "24h"
  }
}
```