I have some q=question regarding Secure Login the
User Management account access controls for community portal
we need to ensure the administrative/privileged accounts require 1. Private Network and 2. Strong Authentication (Basic auth + MFA) access controls in-place.
That’s built in. Search site settings.
I’m not aware of a way to do that. It’ll take a plugin. There’s a geofencing plugin that could be a start. Happy to help with that or you can ask in marketplace.
You can restrict admin logins to specific IP addresses if that helps? use admin ip allowlist + allowing them in the Screened IPs
What happends when admin’s IP changes?
Wow! I didn’t know there was an admin allow-list! I’d guess it’ll take network addresses so you can give it a whole class C or whatever.
They’d need another admin to update the setting. But I would assume that this would be used when the admin uses a vpn to the company network, so if the address changed, it would mean he was no longer allowed to be an admin.
That is kind of my point. Limiting IP can and will be a potentially hazardous setup if an admin works outside the business world 
If such a security measure is needed and there is only one admin and the admin is using an IP that can and will change, then using Varnish or a similar frontend for Discourse is a safer solution (unless the shell gives a backdoor).
(Oh dear how much proofreading fixes my text 
)
Hi I want to understand how enforce second factor is working . If i enable it for staff what we need to do extra for second authentiction
Did you take a look at the topics I linked in Two-factor authentication method for additional security during login - #4 by Moin ?
The video was very helpful for me.
You can also set up two-factor authentication for a test account to try without enabling the setting which forces staff to enable it. When you enable the setting, you have to set it up for your account if you haven’t done so before; you can’t do anything else on your site until you’ve done that, not even disable the setting.