Enable MFA for the Admin Console

Make MFA mandatory for accessing the Admin Console. If admins haven't enrolled the required factors, they're prompted to enroll when they try to access the Admin Console.

Before you begin

Enable at least two factors for your org. See About multifactor authentication. Okta recommends enabling at least one phishing-resistant authenticator, like FIDO2 (WebAuthn) authenticator.

Enable MFA in the policy

  1. In the Admin Console, go to ApplicationsApplications.

  2. Open the Okta Admin Console app.
  3. On the Sign On tab, open the Admin App Policy rule in Edit mode.
  4. On the App Sign On Rule page, ensure that the Disable rule checkbox isn't selected. Selecting this checkbox disables MFA for admins.
  5. In the Actions section, select Prompt for factor, and then select the frequency. Okta recommends prompting at every sign on.
  6. Click Save.

Enforce MFA to access the Admin Console

This feature makes MFA mandatory for accessing the Admin Console. It automatically updates any authentication policy rules that protect the Admin Console with single-factor to two-factor. This feature also requires new rules to be two-factor.

To enable this feature you must do the following before you set it up:

  • Verify that you have the necessary authenticators for MFA.
  • Ensure that your MFA enrollment policy has enough factors enabled so that admins can satisfy the authentication requirements.
  • Ensure that all admins are enrolled in at least two factors.

If you disable this feature, any policies updated to 2-factor aren't reverted to single-factor automatically.

Enforce MFA for Identity Governance admin apps

Early Access release

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps. This feature is only available when the Enforce MFA to access the Admin Console feature is enabled. Contact Okta Support to enable it.

When you enable this feature, any single-factor app sign-on policy rule applicable to the following Identity Governance apps is automatically updated to require two factors:

  • Okta Access Certifications
  • Okta Entitlement Management
  • Okta Access Requests Admin

If you disable this feature, the changes aren't automatically reverted. You must manually edit the rules to allow single-factor access.