Enable MFA for the Admin Console

Make MFA mandatory for accessing the Admin Console. If admins haven't enrolled the required factors, they're prompted to enroll when they try to access the Admin Console.

Before you begin

Enable at least two factors for your org. See About multifactor authentication. Okta recommends enabling at least one phishing-resistant authenticator, like FIDO2 (WebAuthn) authenticator.

Enable MFA in the policy

  1. In the Admin Console, go to ApplicationsApplications.

  2. Open the Okta Admin Console app.
  3. On the Sign On tab, open the Admin App Policy rule in Edit mode.
  4. On the App Sign On Rule page, ensure that the Disable rule checkbox isn't selected. Selecting this checkbox disables MFA for admins.
  5. In the Actions section, select Prompt for factor, and then select the frequency. Okta recommends prompting at every sign on.
  6. Click Save.

Enforce MFA to access the Admin Console

This feature makes MFA mandatory for accessing the Admin Console. It automatically updates any authentication policy rules that protect the Admin Console with single-factor to two-factor. This feature also requires new rules to be two-factor.

To enable this feature you must do the following before you set it up:

  • Verify that you have the necessary authenticators for MFA.
  • Ensure that your MFA enrollment policy has enough factors enabled so that admins can satisfy the authentication requirements.
  • Ensure that all admins are enrolled in at least two factors.

If you disable this feature, any policies updated to 2-factor aren't reverted to single-factor automatically.