Configure an MFA enrollment policy
Policies can be applied to specific groups within your org and automatically enforced for only those users.
If your org doesn't require group-based factors, it isn't necessary to create additional policies. Simply retain the Default Policy.
Create an MFA enrollment policy
Click Add Multifactor Policy to open the Add Policy screen.
- Policy name: Enter a descriptive policy name.
- Policy description: Describe the elements of the policy.
- Assign to groups: Enter a predefined group. Once text is entered, it will auto-complete the group name.
- Effective factors: The factors you set up under the Factor Type tab should appear here. Use the dropdown menu to define whether the option is required, optional or disabled for that group.
The following actions only affect a selected policy. Click the policy name in the blue, left-sided list to select and display options.
- Active button: Use to activate or deactivate the selected policy. If you deactivate a policy, it will not be applied to any user, but you can reactivate it later.
- Edit button: Use to change elements of the policy.
- Delete button: Use to delete the select policy. The default policy can't be deleted. A deleted policy can't be recovered.
Add an MFA enrollment policy rule
Rules allow you to add conditions to your policy choices.
To add a new rule, click the Add Rule button and complete the following fields as needed.
- Rule Name: Add a descriptive name for the rule you want to create.
- Exclude Users: If needed, you can exclude individual users of a group from the rule.
- Under AND User is accessing, select Applications.
- Select Any application to apply this rule to all applications that can be accessed by the end user. Select Specific applications to manually enter the applications that will be affected by this rule. Only applications that are available to end users will be displayed here.
- For more details, see App condition for MFA enrollment policies.
- Enroll Multifactor: Use the dropdown menu to enforce the following two options:
- The user must enroll in the multifactor option during their initial sign-in to Okta.
- The user can enroll when first challenged for an MFA option.
- When a User is located... Use the dropdown menu to enforce where the user will be challenged for authentication:
- Anywhere: The user is challenged within the network or outside of it.
- On Network: The user is only challenged when they are off of the network.
- Manage configuration for Network: Click the Manage Configurations for Network link to access your gateway settings that enable your choice of access. For details on using this option, see Public Gateway IPs.
Once created, you can expand a rule to view the details by clicking on the rule name listed beneath the Add Rule button. Once expanded, this view shows all the details of the rule such as excluded users and when an authentication factor will be prompted. You can also prioritize the rule by dragging the rule name above or below the other rules in the list.
The following actions only affect the selected rule.
- Active button: Use to activate or deactivate the selected rule. If you deactivate a rule, it will not be applied to any user, but you can reactivate it later.
- Expand rule: Use to view details of the rule. You can also simply click on the rule name.
- Edit button: Use to change established elements of the rule.
- Delete button: Use to delete the select rule. A deleted rule can't be recovered.