Configure an authentication enrollment policy rule

Rules allow you to add conditions to your policy choices.

  1. Once you’ve created an authentication enrollment policy, click the Add Rule button to configure a policy rule.

Rule Name: Add a descriptive name for the rule you want to create.
Exclude Users: If needed, you can exclude individual users of a group from the rule.
IF user’s IP is:

Use the dropdown menu to enforce where the user will be challenged for authentication:

  • Anywhere: The user is challenged within the network or outside of it.
  • In zone: The user is only challenged if they belong to a preconfigured network zone.
  • Not in zone: The user is challenged if they do not belong to a preconfigured network zone.
AND user is accessing:

Select what you want the rule to apply to:

  • Okta
  • Applications: Select this option and choose one of the following:
    • Any application that supports MFA enrollment
    • Specific applications: Start typing the name of the application to which this rule applies in the field that appears.
THEN Enrollment is:
  • Denied
  • Allowed if required authenticators are missing
  1. Click Create Rule to save the conditions of your new rule.
  2. Select a rule, then perform any of the following actions:
  • Active: Use to activate or deactivate the selected rule. If you deactivate a rule, it will not be applied to any user, but you can reactivate it later.
  • Expand or the rule name: View details of the rule, such as excluded users.
  • Edit: Change settings of the rule.
  • Delete: Delete the select rule. A deleted rule can't be recovered.
  1. To change the priority of a rule, drag the rule name above or below other rules in the list.

Related topics

Create an authentication enrollment policy

About MFA authenticators

Sign-on policies and rules