Enable MFA for the Admin Console

Make MFA mandatory for accessing the Admin Console. If admins haven't enrolled the required authenticators, they're prompted to enroll when they try to access the Admin Console.

Before you begin

Enable at least two authenticators for your org. See Multifactor authentication. Okta recommends enabling at least one phishing-resistant authenticator, like Okta FastPass or FIDO2 (WebAuthn).

Enable MFA in the policy

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Open the Okta Admin Console policy, and then open the Admin App Policy rule in Edit mode.
  3. Edit the rule. See Add an authentication policy rule. Configure the following conditions:
    • User must authenticate with: Select any of the 2 factor types options.
    • Possession factor constraints are: Specify the required characteristics of the possession factor. Okta recommends requiring a phishing-resistant possession factor.
    • Prompt for authentication: Select how often Okta prompts the user for authentication. Okta recommends prompting every time the user signs in to the resource.
  4. Click Save.
  5. Repeat these steps to edit the Catch-all rule to require MFA.

Enforce MFA to access the Admin Console

This feature makes MFA mandatory for accessing the Admin Console. It automatically updates any authentication policy rules that protect the Admin Console with single-factor to two-factor. This feature also requires new rules to be two-factor.

To enable this feature you must do the following before you set it up:

  • Verify that you have the necessary authenticators for MFA.
  • Ensure that your authenticator enrollment policy has enough authenticators enabled to that admins can satisfy the authentication requirements.
  • Ensure that all admins are enrolled in at least two authenticators.

If you disable this feature, any policies updated to 2-factor aren't reverted to single-factor automatically.

Enforce MFA for Identity Governance admin apps

Early Access release

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps. This feature is only available when the Enforce MFA to access the Admin Console feature is enabled. Contact Okta Support to enable it.

When you enable this feature, the Admin App policy for the Admin Console is applied to the following Identity Governance apps:

  • Okta Access Certifications
  • Okta Entitlement Management
  • Okta Access Requests Admin

If you disable this feature, the changes aren't automatically reverted. You must manually edit the rules to allow single-factor access.