Enable MFA for the Admin Console

Make MFA mandatory for accessing the Admin Console. If admins haven't enrolled the required factors, they're prompted to enroll when they try to access the Admin Console.

Before you begin

Enable at least two factors for your org. See About multifactor authentication. Okta recommends enabling at least one phishing-resistant authenticator such as FIDO2 (WebAuthn) authenticator.

Enable MFA in the policy

  1. In the Admin Console, go to ApplicationsApplications.
  2. Open the Okta Admin Console app.
  3. On the Sign On tab, open the Admin App Policy rule in the Edit mode.
  4. On the App Sign On Rule page, ensure that the Disable rule checkbox isn't selected. Selecting this checkbox disables MFA for admins.
  5. In the Actions section, select Prompt for factor. Then select the frequency. Okta recommends prompting at every sign on.
  6. Click Save.

Enforce MFA to access the Admin Console

Early Access release. See Enable self-service features.

To enable this feature you must:

  • Verify you have the necessary authenticators for MFA.

  • Ensure that your MFA enrollment policy has enough factors enabled so that admins can satisfy the authentication requirements.

  • Ensure that all admins are enrolled in at least two factors.

This feature makes MFA mandatory for accessing the Admin Console. It automatically updates any authentication policy rules that protect the Admin Console with single-factor to 2-factor. It also requires new rules to be 2-factor.

If you disable this feature, any policies updated to 2-factor aren't reverted to single-factor automatically.

Enforce MFA for Identity Governance admin apps

Early Access release. See Enable self-service features.

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps. This feature is only available when the Enforce MFA to access the Admin Console feature is enabled. To enable the feature in the Admin Console, go to SettingsFeatures. If this feature isn't available on the Features page, contact Support.

When you enable this feature, any single-factor app sign-on policy rule applicable to the following Identity Governance apps is automatically updated to require two factors:

  • Okta Access Certifications
  • Okta Entitlement Management
  • Okta Access Requests Admin

If you disable this feature, the changes aren't automatically reverted. You must manually edit the rules to allow single-factor access.