Can you enable MFA for just teh web UI and not all apps?
I would like to roll out MFA to our different Applications, but I would like to require MFA on just the web login for now (organization.okta.com) and not the apps just yet.
Is this possible or is it an all or nothing style MFA when dealing with the web protal logon? I know i can enable MFA on individual apps and not the web portal login, but is there a way to exclude certain apps from MFA when its enabled via the sign on policy?
You can enable multifactor to prompt the user only upon logging into Okta. To do so, Go to admin/access/multifactor (Security - Multifactor), select the multifactor types, then define your policy. If you have Network Zones define, you can choose whether or not users will be prompted for Multifactor while "on-network" and a different rule for "off-network".
With this enabled (and depending on how you define your "on-network" or "off-network" policies), when a user attempts to log in at orginzation.okta.com, the user will be prompted for their 2-factor authentication code. Once logged in, they won't be prompted again for it unless you have a rule defined for an app to do so.
Following on from Kevin's advice above to actually confiure MFA to the Web Portal as a whole, it is not possible to exclude certain applicatons. You have the ability to have MFA on the whole portal, specific applications or the ability to have MFA on both.