Configure rules for authenticator enrollment policies

Rules allow you to add conditions to your authentication enrollment policies.

Start this procedure

  1. Create an authenticator enrollment policy.
  2. Click Add Rule.
    Rule nameEnter a descriptive name for the rule.
    Exclude usersEnter the names of users that you want to exclude from this rule.
    IF user's IP isSelect an option to enforce where the user is challenged for authentication:
    • Anywhere The user is challenged if they signed in from any location.
    • In zone: The user is challenged if they signed in from specific network zones. Enter the network zone names or select All Zones. See About network zones.
    • Not in zone: The user is challenged if they signed in from outside of a specific network zone. Enter the network zone names or select All Zones. See About network zones.
    AND user is accessingSelect an option to specify when the rule applies:
    • Okta: Apply this rule when the user signs in to Okta.
    • Applications: Apply this rule when the user accesses apps:
      • Any application that supports MFA enrollment: Apply this rule when the user accesses an app that supports MFA enrollment.
      • Specific applications: Apply this rule when the user accesses specific apps. Start entering the name of an app in the field that appears. Select the app name from the list. Enter another app name to add more apps.
    THEN Enrollment isDetermine whether enrollment is allowed or denied when all the conditions of this rule have been satisfied:
    • Allowed for all authenticators: Allow authenticator enrollment even when the required authenticator is missing.
    • Allowed for authenticators used for legacy recovery: Only allow the enrollment of authenticators used for legacy recovery.
    • Denied: Deny the enrollment of any authenticators.
  3. Click Create Rule.
  4. Select a rule and then perform any of the following actions:
    • Active or Inactive: Select this option to make the rule active or inactive. If you deactivate a rule, it isn't applied to any user.
    • Expand rule: Click the i icon to view details of the rule.
    • Edit: Click the pencil icon to change the settings of the rule.
    • Delete: Click the x icon to delete the rule. You can't recover a deleted rule.
  5. To change the priority of a rule, drag the rule by the handle in the Priority column and drop it in its new location.

Related topics

Create an authenticator enrollment policy

Multifactor authentication

Sign-on policies and rules