Original Post - October 3, 2022
Last Update - September 19, 2025
 

To comply with U.S. export control and economic sanctions laws and regulations, as well as with Okta's corporate policies, Okta takes measures to restrict access to our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government with an applicable general or specific license. More information about U.S. export control and economic sanctions laws and regulations can be found at:  

• U.S. Department of Commerce's Bureau of Industry and Security 
• U.S. Treasury Department's Office of Foreign Assets Control

Please be aware that Okta’s access restrictions may apply even when a User is on temporary travel to embargoed regions, although the User may not normally reside there, and also applies to companies based outside the United States. If you are legally permitted to operate in these regions under U.S. export control and economic sanctions laws and regulations, Okta has an exemption process which you can initiate by completing this exemption request form. Per the terms of our Master Subscription Agreement, Okta customers are responsible for complying with any export control and sanctions laws applicable to their activities. 

Frequently Asked Questions

Why is Okta blocking Users in certain regions from accessing the Okta Platform (including the Auth0 Platform) and Free Trials?

Okta has implemented these restrictions in support of our customers’ and Okta’s existing contractual obligations with respect to U.S. export control and economic sanction laws.

When did Okta begin blocking Users from accessing the Okta Platform (including the Auth0 Platform) and Free Trials?

Okta began blocking Users on October 3, 2022 in preview cells and in production cells on October 17, 2022. The following federally authorized cells are not included in these restrictions at this time: OK5, OK10, OG1 and OM1. 

How do I know if I have Users attempting to access our tenant from these regions?

Using the system logs you can get the geographical location for end Users: Search System Logs.

What happens if there is an access request from these regions?

Okta simply denies access requests from these regions. Okta does not disable Users who attempt to request access to Okta’s services from these regions but users will receive an access denied message. 

When are federally authorized cells (OK5, OK10, OG1 and OM1) going to implement IP auto blocking?

We do not yet have a timeframe for the change on these cells. 

Can Okta handle export control and sanctions compliance for my organization?

As a Customer, you are responsible for ensuring your own compliance with applicable export control and sanction laws. As outlined in the Okta Master Subscription Agreement, you must use the Okta Platform (including the Auth0 Platform) and Free Trials in compliance with applicable laws. You are responsible for choosing your own Okta or Auth0 regions for deploying your tenant and ensuring that your configuration meets relevant requirements. Okta does not inspect, approve, or monitor the tenants or applications you deploy on the Okta Platform (including the Auth0 Platform) and Free Trials. Okta does not block network traffic to your website and it is customers responsibility to prevent access to your applications and transactions to ensure compliance with applicable export control and sanction laws. Okta has no responsibility for and does not have the ability to know directly the end Users that interact with your applications using the Okta Platform (including the Auth0 Platform) and Free Trials.

My organization is legally permitted under U.S. law and needs to have access to Okta Platform (including the Auth0 Platform) and Free Trials in Cuba, Iran, North Korea, Syria, the regions of Crimea, Luhansk or Donetsk. How do I request an exemption to these restrictions?

Customers can request an exemption by submitting this exemption request form. Okta will determine whether you are eligible to access the Okta Platform (including the Auth0 Platform) and Free Trials from an embargoed territory based on the answers provided. Please allow up to five business days for your request to be completed. If you have any questions, contact us at tradecompliance@okta.com. 

What criteria must I provide for my exemption request to get approved?

A valid exemption request will only be granted for entities that qualify for a general license from OFAC to engage in a transaction that otherwise would be prohibited or for entities that have received a specific license from OFAC. It is the customers responsibility to make sure that all transactions pursuant to general or specific licenses observe all conditions of the licenses.

My company is not based in the United States and I don’t think these restrictions should apply. How do I proceed?

As a United States based organization, Okta must comply with U.S. export control and economic sanctions laws and regulations. This means Okta cannot export its software to territories that are sanctioned or embargoed by the U.S. Government, even to organizations that aren’t under U.S. jurisdiction. 

What if I have a User traveling to these regions?  How can I ensure that they continue to have access to Okta, Auth0, and related applications?

Okta does not grant temporary exemptions because of travel, unless your organization is covered under a general license to operate within a region or has a specific license. If your organization has a specific license or general license to operate within a region, please follow the exemption request process here. 

I’ve previously applied for and received an exemption, however, my specific license is about to expire and I’d like to apply for an exemption extension with Okta to continue to be able to use Okta’s services in the blocked regions. How do I do this?

Submit a new exemption request form as you initially did and advise in the additional comments that this is an exemption extension. 

My IP address shows that I am located in Cuba, Iran, North Korea, Syria, or the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine but I am not located in one of these regions. How do I rectify?

For assistance, submit a ticket to Okta support, where they can assist you with the IP correction.

Does Okta have an OFAC list of countries subject to comprehensive embargoes?

No, Okta does not maintain that. You can refer to the US Department of Treasury page for more details on the Office of Foreign Assets and Control Sanctions Program.

Does Okta plan to remove its IP blocking measures for Syria given the lifting of OFACs comprehensive sanctions on Syria?

At this time, Okta will not be making any changes to its IP Access Policy. Okta’s measures to restrict access to our applications within Syria will remain; however, Organizations that would like to utilize Okta’s Services in Syria may request an exemption by submitting this exemption request form.

In addition to Okta’s IP Access Policy, what other features does Okta offer to help me block IP ranges for the Okta Platform (including the Auth0 Platform) and Free Trials?

The Auth0 Platform

The Auth0 Platform also makes available features for you to:

1. Choose your Deployment Regions. When you create a tenant with Auth0, you are able to select the region of where you want to store data in Auth0. For example, you may choose to store your data in the United States or other region of choice. 
2. Country-based Access control. Auth0 allows you to enable country-based access through the Auth0 Platform through a no-code actions integration or through writing it yourself. This feature further allows you to block specific Users based on their IP address. For additional information, click here.

The Okta Platform (including the Auth0 Platform) and Free Trials

The Okta Platform (including the Auth0 Platform) and Free Trials, depending on your organization’s implementation and use case, may also make available certain features for you to:

1. Create a location zone to block logins from specific countries, regions, IP ranges. See docs here for more information.
2. Create a dynamic zone to block logins from IPs with a reputation for being risky. (Adaptive SKU required) See docs here for more information.
3. Add an authentication or sign-on policy condition to block logins or prompt for stronger authentication if the end User is exhibiting anomalous behavior. (Adaptive SKU required) See docs here for more information.
4. Use ThreatInsight to block requests that Okta has determined to be associated with specific types of credential attacks. See docs here for more information on ThreatInsight.