Anyway to list who has MFA actively setup and anyway to force MFA setup? Skip to main content
https://support.okta.com/help/answers?id=9060z000000jjdkqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
David GenenzDavid Genenz 

Anyway to list who has MFA actively setup and anyway to force MFA setup?

Hi,

We currently have MFA setup with Okta/Radius for VPN access but we're looking to expand that to require MFA when using anything Okta externally.

There's a report to show when someone last used or enrolled but they couldn't have (in theory) deactivated it so I'm looking for a definitive list of who does and does not have MFA setup. Is anyone aware of a report or method to determine that?  I'm guessing there's a way in postman but i'm not overly talented with it.

Is anyone aware of a way to force MFA setup? I see ways to encourage it but not require it.

Thanks in advance for any help or recommendations,
David
Tomas PopescuTomas Popescu (Vendor Management)
To enforce users to use MFA you can add a policy rule for users accesing okta when their IP is not in zone, as for a list of users using MFA at the moment, will be through APIs, and other option for this is to create a feature request on https://support.okta.com/help/oktaideanew as for the moment only user authenticating with MFA can be shown in the reports. If you require further assistance please open a case with customer support.
Dylann FezeuDylann Fezeu (Customer First Programs)
Hello David,

Thanks for posting your inquiry in Okta Community Portal.

If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

Dylann Fezeu
Okta Help Center Team
David GenenzDavid Genenz
Thank you for the responses.

Sorry, I didn't explain the issue with enforcement clearly enough. We've had some security issues with staff being stupid with their credentials. I'm sure everyone's shocked that happens ;). What we'd like to do is force MFA setup immediately just like the secret question/answer and make it mandatory.

Currently, ff staff don't setup MFA but we require MFA externally and that staff person never accesses Okta remotely, they may never configure it. So an unauthorized third party with their username and password could access Office 365 and that unauthorized party could in theory setup MFA to be able to access their account. There's nothing to prohibit an unauthorized third party from getting in unless MFA was already setup. Curious how or if others are addressing this.

Thanks in advance,
David
Eugen DumitruEugen Dumitru (Okta, Inc.)
Hello David,

You can create app level signon policy to enforce MFA for the specific application, more on MFA  (https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm?Highlight=MFA) and App SignOn policyes (https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm?Highlight=enforce%20MFA) .
If you need assistance in setting a policy, please create a case with Okta Support.

Best regards,
Eugen Dumitru.