Enable MFA for the Admin Console

Super admins can enable mandatory multifactor authentication (MFA) for all admins who access the Okta Admin Console. After this feature is enabled, the MFA policy for the Admin Console is enabled by default. The next time an admin signs in, they're prompted to set up MFA for access to the Admin Console. Admins who haven't enrolled in MFA are prompted to enroll for the first time.

Before you begin

  • Enable at least one factor for your org. If the org doesn't have any MFA factors enabled, Okta Verify with one-time passcode (OTP) is enabled as the default factor. If factors are configured, then no changes are made.
  • You can also make changes to your MFA policy. See Configure an app sign-on policy.

Enable MFA in the policy

  1. In the Admin Console, go to ApplicationsApplications.
  2. Open the Okta Admin Console app.
  3. Click the Sign On tab. For the Admin App Policy, click the Edit rule icon.
  4. Ensure that the Disable rule checkbox isn't selected. Selecting this checkbox disables MFA for admins.

Prevent new single-factor access to the Admin Console

Early Access release. See Enable self-service features.

This feature prevents admins from creating rules that allow single-factor access to the Admin Console. It also prevents changing existing rules to single-factor. This feature works regardless of whether you enable MFA access to the Admin Console.