<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Application not Prompting for MFA
Dec 8, 2025
Okta Classic Engine
Multi-Factor Authentication
Overview

If the Authentication Policy or Global Session Policy requires Multi-Factor Authentication (MFA) for a user to log in to the User Dashboard, but no prompt for MFA is configured in the Application Sign-On Policy, the user will be prompted for MFA only once when accessing the application, during the initial login to the User Dashboard.

Applies To
  • Okta Classic Engine
  • Multi-Factor Authentication (MFA)
  • Application Sign-On Policy
Cause

This can occur when:

  • Application policy is configured to require MFA Once Per Session.
  • The Actions section in the application sign-on policy is not configured or configured differently than desired.

Example of behavior when Once Per Session is configured:

  1. User logs into the User Dashboard, are prompted for MFA, and successfully complete the MFA challenge because their Authentication policy requires MFA on every login.

  2. The user then clicks an application they are assigned to.

  3. This app has a rule configured that specifies MFA is required Once per session.

  4. The user is NOT prompted for MFA.

This is expected behavior because they provided MFA for the session when they were challenged for MFA by the auth policy when logging into the dashboard. The app policy is referencing the Okta session, not a separate application-specific session.

Solution

If this is not the intended behavior, and the user should provide MFA each time they access the application, modify the app sign-on policy to prompt for factor every sign-on.

To do so, follow the below steps: 

  1. Navigate to Admin Dashboard > Applications > Applications.
  2. From the Active list of applications, choose the app for which the sign-on policy should be modified.
  3. Click on the app once found and go to the Sign On tab.
  4. Scroll down until the Sign On Policy section is visible. 
  5. If there is already a policy configured, click on the pencil icon to edit the rule. If there is not, click on the Add rule. The default sign-on policy cannot be amended. 
Sign On Policy
  1. Once the rule is opened, scroll down until the Access section. Mark the option to Prompt for factor
  2. A list of options will become available. Each one indicates when the user will be prompted for MFA while accessing the application. Select the one that says Every sign on if the desired outcome is for the user to be prompted for MFA each time they access the application.

Prompt for factor

  1. Now, the users will be prompted for MFA every time they access the app. 

 

 

Recommended content

Still looking for help?
Loading
Application not Prompting for MFA