Modify authentication policies for first-party apps

Every org has first-party apps with preset policies that you can modify: the Okta Admin Console, the Okta End-User Dashboard, and the Okta Browser Plugin.

Configure reauthorization frequency for the Admin Console

A common use case for editing the Admin Console policy is to create a more restrictive policy that requires admins to reauthenticate with multifactor authentication (MFA) every time they access the Admin Console. By default, this policy requires MFA for admins, but if your global session policy already requires MFA, the admin isn’t prompted a second time.

Okta recommends re-authentication every time for the Okta Admin Console.

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select the Okta Admin Console app.

  3. On the Rules tab, click Add rule.

  4. Enter a Rule Name (for example, MFA once per day).

  5. Set the following rule conditions:

    • In the IF section, select The following users and groups, and then add the Admin group.

    • Modify the Location and Client fields if you want to restrict this rule by zone or device.

    • In the Access section, select prompt for factor, and then choose your frequency.

  6. Click Save.

  7. On the Sign On tab, verify that the new rule has the highest priority.

Configure Admin Console session lifetime

Early Access release

This configuration affects only the Okta Admin Console. Administrative sessions in other Okta

applications are unaffected, including Okta Workflows, Okta Access Gateway, and Advanced Server Access.

You can change the session lifetime and idle time for the Okta Admin Console. These settings are independent of those configured for global session policies. See Add a global session policy rule.

  1. In the Admin Console, go to ApplicationsApplications.

  2. Click Okta Admin Console.

  3. On the Sign On tab, click Edit in the Okta Admin Console session section.

  4. Set the Maximum app session lifetime in hours or minutes.

    Okta recommends 12 hours based on US National Institute of Standards and Technology (NIST) guidance. The maximum time allowed is 24 hours, the minimum is 1 minute.

    The maximum session lifetime must be equal to or greater than the configured idle time.

  5. Set the Maximum app session idle time in hours or minutes.

    Okta recommends 15 minutes based on US National Institute of Standards and Technology (NIST) guidance. The maximum time allowed is 2 hours, the minimum is 1 minute.

    For settings over 10 minutes, a popup appears within 5 minutes of the timeout with a link to reset the time. For settings under 10 minutes, the popup appears within 30 seconds of the timeout.

    The idle expiration time resets based on your interactions within the Admin Console.

  6. Click Save.

Add authenticators to the Admin Console authentication policy

Early Access release. See Manage Early Access and Beta features.

To protect the Admin Console, you must require admins to authenticate with two or more authenticators. If your existing rules only require users to verify themselves with one authenticator, you may be required to add more authenticators to meet this requirement.

  1. In the Admin Console, go to SecurityAuthentication Policies.
  2. Select the Okta Admin Console app.
  3. On the Rules tab, click Add rule.
  4. Enter a Rule Name (for example, MFA for Admin Console).
  5. Configure the following rule conditions in the IF section:
    • User's user type is: Optional. Select One of the following user types, and then enter the user type, like admins in the field that appears.
    • User's group membership includes: Optional. Select At least one of the following groups, and then enter the Admins group in the field that appears.
    • Configure other IF conditions that you require.
  6. Configure the following rule conditions in the Then section:
    • User must authenticate with: Select either Password / IdP + Another factor or Any 2 factor types.
    • Configure other THEN conditions that you require.
  7. Click Save.

Disable the Okta Dashboard for specific groups

A common use case for editing the Okta Dashboard policy is to disable access for users in your org who use another dashboard or application.

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select the Okta End-User Dashboard app.

  3. On the Rules tab, click Add rule.

  4. Enter a Rule Name (for example, Disable Access to Dashboard for Groups).

  5. Set the following rule conditions:

    • In the IF section, specify which users qualify for the new rule.

    • In the THEN section, set the Access is option to Denied.

Related topics

Add an authentication policy rule

Update an authentication policy

Add apps to an authentication policy