Enable MFA for the Admin Console

Super admins can enable mandatory multifactor authentication (MFA) for all admins who access the Okta Admin Console. After this feature is enabled, the MFA policy for the Admin Console is enabled by default. The next time an admin signs in, they're prompted to set up MFA for access to the Admin Console. Admins who haven't enrolled in MFA are prompted to enroll for the first time.

Before you begin

  • Enable at least one authenticator for your org. If the org doesn't have any authenticators enabled, Okta Verify with one-time passcode (OTP) is enabled as the default authenticator. If authenticators are configured, then no changes are made.

Enable MFA in the policy

  1. In the Admin Console, go to ApplicationsApplications.
  2. Open the Okta Admin Console app.
  3. Go to Sign OnUser authentication, and click View policy details. The Authentication policy for the Admin Console opens.
  4. In this policy, go to Admin app policyActionsEdit. The Edit rule window opens.
  5. Edit the rule. See Add an authentication policy rule.
    1. Go to User must authenticate with, and then select a 2-factor type option from the dropdown menu.
    2. Select options for Possession factor constraints are.
  6. Click Save.

Prevent new single-factor access to the Admin Console

Early Access release. See Manage Early Access and Beta features.

This feature prevents admins from creating rules that allow single-factor access to the Admin Console. It also prevents changing existing rules to single-factor. This feature works regardless of whether you enable MFA access to the Admin Console.