Protected actions in the Admin Console

Protected actions are critical tasks that admins can perform in the Admin Console. When you enable this feature in your org, admins are prompted for authentication when they perform a protected action, at an interval that you specify. This additional layer of security helps ensure that only authorized admins can perform key tasks in your org.

This feature is being rolled out to orgs gradually. For more information, see Okta will Require Multifactor Authentication (MFA) for Protected Actions in the Admin Console.

There are several important things to note about protected actions:

  • Admins who sign in through inbound federation or who use an inbound IdP must be enrolled in the target org with a separate set of user credentials. Otherwise, admins are blocked from performing a protected action.
  • Federated admins who perform a protected action are prompted for one factor. Non-federated admins are promoted for two factors.
  • Admins need to allow pop-ups in their browser to use this feature.

These are the protected actions in the Admin Console:

  • Assign and revoke the super admin role
  • Configure protected actions
  • Create or modify external IdP
  • Grant and revoke the super admin role
  • Reset a super admin's authenticators
  • Reset a super admin's password (and sign them out)
  • Expire a super admin's password (and sign them out)
  • Expire admin passwords in bulk
  • Reset admin passwords in bulk
  • Update the authentication policy for the Admin Console

Early Access release. See Enable self-service features.

  • Update any authentication policy/app sign-on policy
  • Update global session policy/Okta sign-on policy

Set the authentication interval

The authentication interval determines how often authentication is required when admins perform protected actions in the Admin Console.

  1. In the Admin Console, go to ApplicationsApplications.
  2. Search for and select the Okta Admin Console app.
  3. Click the Protected actions tab.
  4. Click Edit.
  5. In the Authentication required every field, select the authentication interval.
  6. Click Save configuration.

Select protected actions

  1. In the Admin Console, go to ApplicationsApplications.
  2. Search for and select the Okta Admin Console app.
  3. Click the Protected actions tab.
  4. Click Edit.
  5. In the Select protected actions section, select the actions that you want to protect.
  6. Click Save configuration.

Configure email notifications

You can configure Okta to send you an email notification whenever an admin performs a protected action in your org.

  1. In the Admin Console, go to SettingsAccount.

  2. Go to the Admin email notifications section and click Edit.
  3. Select Admin performs a protected action.
  4. Click Save.