The user enrollment process in an authenticator is governed by authentication enrollment policies, which allow the creation and implementation of rules and regulations for particular authenticators and circumstances. These policies can mandate certain groups of users to use specific authenticators.

When users try to access an application that enforces an authentication policy requiring a specific authenticator, they will be prompted to enroll in it if they have not already done so. This prompt ensures that users comply with the app's authentication requirements.

• Okta Identity Engine (OIE)
• Authenticators
• Multi-Factor Authentication (MFA)

1. To create an enrollment policy, in the Okta Admin Console, navigate to the Security > Authenticators section and select the Enrollment tab.
2. Then, access the Add Policy page by clicking the Add a policy button.

3. Upon completing the fields of Policy name, Policy description, Assign to groups, and Eligible authenticators, click the Create Policy button. Subsequently, a window will appear requesting the addition of a rule to the enrollment policy.

The Authenticators have 3 main statuses:

• • Required: End-users must enroll the MFA factor during the initial authentication attempt in the Okta tenant.
  • Optional: End-users will be prompted to enroll the optional MFA factors during initial authentication attempt in the Okta tenant, but they will have the option to Set up later those specific MFA factors.

NOTE: End-users can set up the eligible MFA factors according to the Enrollment policies that evaluate their accounts; from the Okta End-user dashboard > click on the name in the top right corner > select Settings.

• • Disabled: End-users will not be prompted to set up those specific MFA factors and will not be able to enroll them even at a later time unless the Okta tenant administrator does not change the MFA factor status. The Authenticator enrollment policy article can be used for additional details regarding enrollment policies.

4. In addition to specifying a descriptive Rule Name, exclude specific users or groups from the rule and determine where the user will be prompted for enrollment from the IF User's IP is dropdown menu. The scope of the rule can be defined by selecting the AND User is accessing and choosing one of the available options:

• Okta
• Applications: Select this option and choose one of the following:
  • Any application that supports MFA enrollment.
  • Specific applications: Start typing the name of the application to which this rule applies in the field that appears.

5. After meeting all conditions, the THEN Enrollment is field allows the selection of whether enrollment should be Denied or Allowed if required authenticators are missing. Finally, click Create rule to save the defined conditions for the new rule.

Example:

If in the AND User is accessing field, only Specific applications is selected (ex. Microsoft Office 365), the users assigned to the Enrollment policy will only be able to enroll in the specified factors ONLY when accessing that application.

NOTE: The Access Testing Tool can be used to verify whether the policy is working as expected. For more information about this feature, please refer to the link in the related references below.
 

Related References

• Access Testing Tool
• About authentication enrollment policies and rules
• Authenticator enrollment policy