Enable MFA for the Admin Console

Super admins can enable mandatory multifactor authentication (MFA) for all admins who access the Okta Admin Console. After this feature is enabled, the MFA policy for the Admin Console is enabled by default. The next time an admin signs in, they're prompted to set up MFA for access to the Admin Console. Admins who haven't enrolled in MFA are prompted to enroll for the first time.

Before you begin

  • Enable at least one authenticator for your org. If the org doesn't have any authenticators enabled, Okta Verify with one-time passcode (OTP) is enabled as the default authenticator. If authenticators are configured, then no changes are made.

Enable MFA in the policy

  1. In the Admin Console, go to ApplicationsApplications.
  2. Open the Okta Admin Console app.
  3. Go to Sign OnUser authentication, and click View policy details. The Authentication policy for the Admin Console opens.
  4. In this policy, go to Admin app policyActionsEdit. The Edit rule window opens.
  5. Edit the rule. See Add an authentication policy rule.
    1. Go to User must authenticate with, and then select a 2-factor type option from the dropdown menu.
    2. Select options for Possession factor constraints are.

  6. Click Save.

Enforce MFA to access the Admin Console

Early Access release. See Enable self-service features.

To enable this feature you must:

  • Verify you have the necessary authenticators for MFA.

  • Ensure that your MFA enrollment policy has enough factors enabled so that admins can satisfy the authentication requirements.

  • Ensure that all admins are enrolled in at least two factors.

This feature makes MFA mandatory for accessing the Admin Console. It automatically updates any authentication policy rules that protect the Admin Console with single-factor to 2-factor. It also requires new rules to be 2-factor. This feature works regardless of whether you enable MFA access to the Admin Console.

If you disable this feature, any policies updated to 2-factor aren't reverted to single-factor automatically.

Prevent new single-factor access to the Admin Console

Early Access release. See Enable self-service features.

This feature prevents admins from creating rules that allow single-factor access to the Admin Console. It also prevents changing existing rules to single-factor. This feature works regardless of whether you enable MFA access to the Admin Console.

This feature replaces the Enforce MFA to access the Admin Console feature. If you previously enabled Prevent new single-factor access to the Admin Console, you can disable it and then enable Enforce MFA to access the Admin Console.