Add Sign On policies for applications
You can add an app-based sign-on policy to allow or restrict access to applications.
Note: Some options described in this topic are Early Access features which may not be available in your org. To enable them, contact Okta Support.
By default, all Client options in the App Sign On Rule dialog box are pre-selected to allow users of all client types and platforms to access the app. To configure more granular access to the app, selectively apply conditions as you create one or more prioritized rules based on:
Blacklist and whitelist approaches to creating Sign On policy rules
Typical approaches to creating and prioritizing rules often employ whitelist and blacklist concepts:
If you select In Zone, enter the name of a zone. You configure zone names in Security > Network. For details, see Network.
In the Client section, choose the conditions that you want to trigger the action(s) you configure in the Access section. Note: The Client section is not available for all apps.
Client Access Policies (CAP) allow you to add different policies for different client types including adding MFA. However, some protocols do not support MFA even if you have MFA configured at the Okta login. Legacy protocols like POP/IMAP do not redirect to Okta for login and do not support MFA at the application level.
If you do not want to allow logins to Microsoft 365 from protocols that do not support MFA, you need to add a deny all rule and then layer allow rules above for the protocols that you do want to support.
In the Device Trust section, specify the trust status of the device that you want to trigger the action(s) you configure in the Access section.
Note: The Trusted and Not Trusted options are only selectable if Device Trust is configured in Security > Device Trust. Okta Device Trust determines devices to be trusted based on the presence of a trust signal (MDM enrollment; certificate; support for Universal Links).
Set rule precedence by clicking the blue arrows to set the priority number. A rule with a priority value of 1 has first priority and takes precedence over all other rules.
When users are blocked from an app, they are shown the following message: