Add behavior to app sign-on policy rule

Configure behavior conditions in app sign-on policies using an expression.

Before you begin

  • Create a new or use an existing app sign-on policy.
  • Adaptive MFA must be enabled.
  • Ensure that no more than 10 conditions are included in a heuristic.
  • The expression language for Security Context supports a subset of operators such as:
    • ||, OR
    • &&, AND
    • !, NOT
    • ==
    • !=

For more information, see Expression Language Overview.

Start this task

  1. In the Admin Console, go to Applications > Applications.
  2. Select the app where you want to create sign-on policy rules.

  3. On the application’s main page, click the Sign On tab.

  4. Scroll to the Sign On Policy section, and then click Add Rule.

  5. Enter a Rule Name.

  6. Indicate your conditions.
    • IF User’s user type is: Specify a user type, or leave the default Any user type. Click Go to User Types to see your org’s User Types page.

    • AND User’s group membership includes: Specify at least one user group, or leave the default Any user group. Click Go to Groups to see your org’s Groups page.

    • AND User’s IP is: Specify an IP Zone, or leave the default Any IP. Click Go to Network Zones to see your org’s Network Zones page.

    • AND Risk is: Select a risk level of Low, Medium, or High to change the level of risk that is needed to match the rule. The risk level Any is selected by default. See Risk Scoring.
    • AND The following custom expression is true: Enter an expression to add behavior. See About behavior and app sign-on policy rules.
  7. In the THEN Access is condition, select an action.

    • Denied: Deny the user’s access. No additional rules will be evaluated. Skip to the last step to save your rule.

    • Allowed after successful authentication: Grant access to the user after they are authenticated (see next step).

  8. Set the authentication criteria:

    • Number of factors required: Select one-factor or two-factor authentication.

    • Optional. AND User must provide: Choose which factors enable app access, depending on your selection of one or two-factor authentication.

      • For one-factor authentication, choose Password or Possession. These are mutually exclusive. For one-factor passwordless authentication options, see Configure passwordless authentication with email magic link.

      • For two-factor authentication, choose Password, Possession, or Password + Possession. For two-factor passwordless authentication options, see Configure passwordless authentication with email magic link.

    • AND Re-authentication frequency is: Select Every sign-in attempt, Once per device, or after a designated amount of time.


      A ten second grace period applies after a user authenticates with their password. During this grace period, users will not be prompted for their password again if Every sign-in attempt is selected under Re-authentication frequency.

  9. Click Save.

Related topics

Okta sign-on policies