Configure an MFA enrollment policy
Multifactor enrollment (MFA) enrollment policies determine when users enroll in MFA and which factors they enroll in.
If your org doesn't require group-based factors, it isn't necessary to create additional policies. You can retain the Default Policy instead.
Create an MFA enrollment policy
Click Add Multifactor Policy to open the Add Policy page.
- Policy name: Enter a descriptive policy name.
- Policy description: Describe the elements of the policy.
- Assign to groups: Enter the name of a group. The field auto-completes the group name.
- Effective factors: The factors you set up under the Factor Type tab should appear here. Use the dropdown menu to define whether the option is required, optional, or disabled for that group.
The following actions only affect a selected policy. Click the policy name in the blue list on the left to select and display options.
- Active button: Use to activate or deactivate the selected policy. If you deactivate a policy, it will not be applied to any user, but you can reactivate it later.
- Edit button: Use to change elements of the policy.
- Delete button: Use to delete the select policy. The default policy can't be deleted. A deleted policy can't be recovered.
Add an MFA enrollment policy rule
Rules allow you to add conditions to your policy choices.
To add a rule, click the Add Rule button and complete the following fields as needed.
- Rule Name: Add a descriptive name for the rule that you want to create.
- Exclude Users: If needed, you can exclude individual users of a group from the rule.
- Under AND User is accessing, select Applications.
- Select Any application to apply this rule to all applications that can be accessed by the end user. Select Specific applications to manually enter the applications that are affected by this rule. Only applications that are available to end users appear here.
- For more details, see App condition for MFA enrollment policies.
- Enroll Multifactor: Use the dropdown menu to enforce the following two options:
- The user must enroll in the multifactor option during their initial sign-in to Okta.
- The user can enroll when first challenged for an MFA option.
- When a User is located... Use the dropdown menu to enforce where the user is challenged for authentication:
- Anywhere: The user is challenged within the network or outside of it.
- On Network: The user is only challenged when they're off the network.
- Manage configuration for Network: Click the Manage Configurations for Network link to access your gateway settings that enable your choice of access. For details on using this option, see Public Gateway IPs.
Once created, you can expand a rule to view the details by clicking the rule name listed beneath the Add Rule button. Once expanded, this view shows all the details of the rule such as excluded users and when an authentication factor is prompted. You can also prioritize the rule by dragging the rule name above or below the other rules in the list.
The following actions only affect the selected rule.
- Active button: Use to activate or deactivate the selected rule. If you deactivate a rule, it isn't applied to any user, but you can reactivate it later.
- Expand rule: Use to view details of the rule. You can also simply click the rule name.
- Edit button: Use to change established elements of the rule.
- Delete button: Use to delete the select rule. A deleted rule can't be recovered.