Add a network zone to Okta sign-on policies
You can add a network zone to Okta sign-on policies to manage network access.
- In the Admin Console, go to .
- Click the Sign On tab.
- Select a sign-on policy in the left menu.
- Click Add Rule.
- In the Rule Name field, add a descriptive name for the rule you want to create.
- Complete these fields in the Add Rule dialog:
- Rule Name: Enter a name for the rule.
- Optional. In the Exclude users field, indicate which individual users of a group you want to exclude from the rule.
- IF User's IP is: Optional. Select the location where this rule should be applied.
- Selecting In zone applies the rule to users within the zone and selecting Not in zone applies the rule to users outside the IP zone.
- After selecting a zone, you'll need to enter the zone name. If zones aren't available, you can create them.
- AND Authenticates via: Optional. Select how the user is authenticated.
- AND Behavior is: Optional. Enter the name of a defined behavior. If behaviors aren't available, you can create them. See Configure Behavior Detection.
- AND Risk is: Optional. Select the risk level for the rule. See Risk scoring.
- THEN Access is: Select Allowed or Denied to allow or deny the user access when the rule criteria are met. If you select Allowed, you can select these options:
- Prompt for Factor: Select this option to prompt the user to complete Multifactor Authentication. Click Multifactor Authentication to view and set multifactor settings. See Multifactor Authentication.
- Per Device: Select this option to use Multifactor Authentication one time on a single device.
- Every Time: Select this option to use Multifactor Authentication every time the user signs in.
- Per Session: Select this option to use Multifactor Authentication every time the user starts a new session.
- Factor Lifetime: Optional. If you require a secondary factor, use this dropdown to specify how much time must elapse before the user is challenged again for the secondary factor. The default lifetime is 15 minutes, and the maximum period is six months.
- Session expires after: Optional. Set the time limit in minutes, hours, or days for session expiry and authentication prompt activation. The default session lifetime is two hours and the maximum allowed time is 90 days. This value isn't the total connect time, but the idle time before users see a countdown timer five minutes before session expiry.
- Click Create Rule.
When you edit a network zone, wait approximately 60 seconds for the change to propagate across all servers and take effect.