This article discusses whether it is possible to exclude specific groups of users from being blocked when configuring a Dynamic Network Zone in Okta, and the box Block access from IPs matching conditions listed in this zone is enabled.

• Dynamic Network Zone

The Dynamic Network Zone does not allow excluding specific users from the block list. When the box Block access from IPs matching conditions... is enabled, the blocking is applied at the org level for all incoming IPs.

To achieve fine-grain control over traffic to a tenant, a Dynamic Network Zone has to be created without the Block access from IPs matching conditions listed in this zone option selected. After configuring the Zone with countries from which traffic should not be allowed, they need to be associated with an Authentication Policy Rule with the Access is - Denied option selected.

• Dynamic Zone configuration (select specific Countries, Regions/ States, or specify IP addresses that traffic should not come from)

• Authentication Policy Rule - Example configuration for blocking access based on the Dynamic Network Zone.

Related References

• How to Create IP Exceptions with Dynamic Network Zones Based on User Location
• Okta sign-on policies: common misconfigurations and best practices
• Network zones
• Sign-on policies