User policies allow you to create specific security requirements and enable different security settings for different user groups. In the user policies, it's possible to add password settings which adds specific password requirements for any users that has been assigned the user policy. This includes specific minimum password length, inclusion of special characters, lower/upper case characters and even automatic password expiration after a set timeframe. 

To add MFA and additional security settings other than password requirements, the Security Policies Add-On is required. With this add-on, you can enforce MFA on users that have been assigned a specific policy. You are also able to restrict access for users based on geolocation, an IP whitelist or an IP blacklist. Once you have created a user policy, you can add users to it by clicking on the policy, and then selecting the users that should be added on the next page. 

The default user policy includes all users added to the organization by default and is useful when the administrator wants to apply location settings, password requirements, MFA settings or IP ranges across all of the organization's users. 

You are able to access and manage your user policies by clicking on Security -> User Policies.