Protected actions in the Admin Console

Early Access release. See Manage Early Access and Beta features.

Protected actions are critical tasks that admins can perform in the Admin Console. When you enable this feature in your org, admins are prompted for authentication when they perform a protected action, according to a configured interval. This additional layer of security helps ensure that only authorized admins can perform key tasks in your org.

There are several important things to note about protected actions:

  • The authentication challenge depends on theSign-on policies and rulesauthentication policy that's configured for the Admin Console.
  • For admins who sign in through inbound federation or who use an inbound IdP, this feature isn't fully supported.
  • Admins using a custom domain are prompted for their username and password, in addition to the configured authentication challenge, the first time they perform a protected action.
  • Admins need to allow pop-ups in their browser to use this feature.

These are the protected actions in the Admin Console:

  • Configure protected actions
  • Create or modify external IdP
  • Reset a super admin's authenticators
  • Reset a super admin's password (and sign them out)
  • Expire a super admin's password (and sign them out)
  • Expire admin passwords in bulk
  • Reset admin passwords in bulk

Configure the authentication interval

The authentication interval determines how often authentication is required when admins perform protected actions in the Admin Console.

  1. In the Admin Console, go to ApplicationsApplications.
  2. Search for and select the Okta Admin Console app.
  3. Click the Protected actions tab.
  4. In the Authentication required every field, select the authentication interval.
  5. Click Save configuration.