Security Policies

Use the Authentication page to configure password, sign-on, and group password policies. For mobile and wifi policies, navigate to the Devices menu. Some of these options are not visible if they are not enabled for your org.

Policies Overview

Policies are the first line of defense in keeping an organization secure. Okta policies allow control of various elements of security, including end-user passwords, the authentication challenges a user receives, the devices they can use, and the places they use them from. A policy can be based on a variety of factors, such as location, group definitions, and authentication type.

Group Password Policies

Note: If this feature is not enabled for your org, basic password management settings are located in here.

Group password policies allow you to define password policies and associated rules to enforce password settings on the group and authentication-provider level. You can create multiple policies with more or less restrictive rules and apply them to different groups. Use policies to enforce the use of strong passwords to better protect your organization's assets.

Group Password Policies are enforced only for Okta and AD-mastered users. For AD-mastered users, ensure that your Active Directory password policies don't conflict with the Okta policies. Passwords for AD-mastered users are still managed by the directory service. Some applications, such as Microsoft Office 365 and Google G Suite, check an Okta password policy when provisioning a user to ensure that the Okta policy meets the application's password requirements.

It is sometimes possible for a user's Okta password to meet these requirements while the password policy itself does not, which results in an error during the provisioning attempt. If you observe provisioning errors after configuring or editing an Okta password policy, ensure that it meets the application's requirements, typically, eight characters with an upper and lower case character and either a symbol or number.

Note: The default password policy is applied when a user is created. Group assignment on password policy is not evaluated when user is created.

Password Policy Evaluation

There are three general guidelines for password policy evaluation.

  • Complexity requirements are evaluated at the point in time when the password is set.
  • Password expiration is evaluated based on the current policy and when the user last set their password, unless the user's password is already expired in which case it remains expired.
  • For AD-mastered users, the Active Directory complexity requirements should reflect the Active Directory instance.

Okta Sign On Policies

Sign on policy can specify actions to take, such as allowing access, prompting for a challenge, and setting the time before prompting for another challenge. You can specify the order in which policies are executed and add any number of policies. If a policy in the list does not apply to the user trying to sign in, the system moves to the next policy.

You can specify any number of policies and the order in which they are executed. There is one required policy named Default. By definition, the default policy applies to all users.

In addition to the default policy, which you cannot delete, there is another policy named Legacy that is present only if you have already configured MFA. This policy reflects the MFA settings that were in place when you enabled your sign-on policy, and ensures that no changes in MFA behavior occur unless you modify your policy. If needed, you can delete it.

When a policy is evaluated, the conditions in the policy are combined with the conditions in the associated rules. Rules are applied when all these conditions are met.

Note: A policy with no rules cannot be applied.

Policies can contain multiple rules, and the order of the rules determines their behavior.


Configure sign-on policies for RADIUS applications

If you create a sign-on policy from the admin console under Security > Authentication > Sign On, it will not apply to a RADIUS application. Sign-on policies for RADIUS applications must always be configured as part of the RADIUS application setup instead. For more information, see Add sign-on policies for applications.