<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Exclude Users from Blocked Countries Network Zone
Feb 27, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview

The goal of this document is to clarify how to exclude users from location-based deny policies.

Applies To
  • Security
  • Network Zones
Solution
  1. Navigate to Admin Console.
  2. Navigate to Security > Networks.
  3. Click Add Zone > Dynamic Zone.
  4. Define countries that should be blocked.

Edit Dynamic Zone

 

  • With the checkbox Block access from IPs matching conditions listed in this zone checked, clients from the Blocked Countries network zone will not be able to access any URL for the org, and requests are automatically blocked before any type of policy evaluation occurs. This means that blocked countries will not even be able to access the login screen. For more information, please see: Add a network zone to a blocklist.
  • With the checkbox Block access from IPs matching conditions listed in this zone unchecked, clients from the Blocked Countries network zone can access the URL for the org, but the requests are instead evaluated based on the policy after the username is entered. This means that blocked countries will be able to access the login screen.

Okta Identity Engine

If deciding to uncheck this box, add a rule to the top of each of the applicable Global Session Policies to DENY the Blocked Countries network zone when the policies are first evaluated. Exclude users from this DENY rule if needed. The downside of this method is that blocked countries will now be able to access the login screen; however, they will end up being DENIED if the username is not excluded from the DENY policy. The most important policy to change is the Default Policy because it applies to Everyone, but if it is desired for the Blocked Countries to apply to other policies, then adjust those as well.

Rule

This rule on top will DENY all Blocked Countries from having the ability to log in except for the Test username.
 

Okta Classic Engine

If this box should be unchecked, add a rule to the top of the Okta Sign-On Policy in Security Authentication Sign On.

  1. Navigate to Security Authentication Sign On.
  2. Click Add New Okta Sign-on Policy.
  3. Name policy Block Blocklisted Countries.
  4. Enter policy description.
  5. Assign to Everyone.
  6. Click Create policy and Add rule.
  7. Name rule: Block blocklisted countries.
  8. Exclude users: Users must be defined individually. Groups cannot be added.
  9. If the User's IP is: In zone.
  10. Zone: Blocklisted Countries.
  11. THEN Access is: Denied.
  12. Click Create rule.
  13. Drag the rule to the top of the list.

Related References

Recommended content

Still looking for help?
Loading
How to Exclude Users from Blocked Countries Network Zone