Set required authenticators for MFA enrollment policies
Enabling at least one required authenticator for your org ensures that end users assigned to a given policy are enrolled in MFA.
Once a required authenticator is set, you can also update your sign-on policy to prompt users to enroll in the authenticator the next time they sign in.
HealthInsight task recommendation
Set require authenticators to ensure that end users assigned to a given policy are enrolled in authenticators.
Require at least one authenticator in every MFA enrollment policy.
If an authenticator is set to required as part of the MFA enrollment policy, end users must enroll in the authenticator before they can sign in to their org. Setup varies depending on the authenticator specified.
In the Admin Console, go to Security > Authenticators.
Click the Enrollment tab.
- Select a policy and click Edit to modify it.
- From the list of Effective authenticators, set at least one factor to Required.
- Click Update Policy to save changes to your MFA enrollment policy.
Set an enrollment policy rule that allows a user to enroll in an authenticator when prompted
- In the Admin Console, go to Security > Authenticators.
- Click the Enrollment tab.
- Choose one of the active policy rules in the list and click Edit. The Edit Rule page appears.
- Under the condition THEN Enrollment is, select Allow if required authenticators are missing.
- Click Update Rule to save your changes.
- In the Admin Console, go to Security > Okta Sign-on Policy.
Select the policy to which you want to add rules.
Select an existing rule and click Edit.
- In Then Access is: Based on the authentication form of the previous dropdown menu, use this one to establish whether the condition allows or denies access.
- In Prompt for Factor: Select Password / IDP or Password / IDP / any factor allowed by app sign on rules.
- Click Update Rule.