Enable MFA for the Admin Console

Make MFA mandatory for accessing the Admin Console. If admins haven't enrolled the required authenticators, they're prompted to enroll when they try to access the Admin Console.

Before you begin

Enable at least two authenticators for your org. See Multifactor authentication. Okta recommends enabling at least one phishing-resistant authenticator such as Okta FastPass or FIDO2 (WebAuthn).

Enable MFA in the policy

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Open the Okta Admin Console policy, then open the Admin App Policy rule in Edit mode.
  3. Edit the rule. See Add an authentication policy rule. Configure the following conditions:
    1. User must authenticate with: Select any of the 2 factor types options.
    2. Possession factor constraints are: Specify the required characteristics of the possession factor. Okta recommends requiring a phishing-resistant possession factor.
    3. Prompt for authentication: Select how often Okta should prompt the user for authentication. Okta recommends prompting every time the user signs in to the resource.
  4. Click Save.
  5. Repeat these steps to edit the Catch-all rule to require MFA.

Enforce MFA to access the Admin Console

To enable this feature you must:

  • Verify you have the necessary authenticators for MFA.

  • Ensure that your MFA enrollment policy has enough factors enabled so that admins can satisfy the authentication requirements.

  • Ensure that all admins are enrolled in at least two factors.

This feature makes MFA mandatory for accessing the Admin Console. It automatically updates any authentication policy rules that protect the Admin Console with single-factor to 2-factor. It also requires new rules to be 2-factor.

If you disable this feature, any policies updated to 2-factor aren't reverted to single-factor automatically.

Enforce MFA for Identity Governance admin apps

Early Access release. See Enable self-service features.

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps. This feature is only available when the Enforce MFA to access the Admin Console feature is enabled. To enable the feature in the Admin Console, go to SettingsFeatures. If this feature isn't available on the Features page, contact Support.

When you enable this feature, the Admin App policy for the Admin Console is applied to the following Identity Governance apps:

  • Okta Access Certifications
  • Okta Entitlement Management
  • Okta Access Requests Admin

If you disable this feature, the changes aren't automatically reverted. You must manually edit the rules to allow single-factor access.