<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configure Factor Enrollment Policies to Set what Factors are Allowed to be Used to Authenticate into an Application
Nov 4, 2025
Okta Classic Engine
Multi-Factor Authentication
Overview

For a user assigned to a group and assigned to an application to be prompted for a specific factor during authentication, two Factor Enrollment Policies must be created.

Both of the policies must be assigned to the same group. In this case, one policy applies if the user's IP is part of a specific zone, and the other policy applies without any IP zone configured.

Applies To
  • Multi-Factor Authentication (MFA)
  • Okta Classic Engine
Solution
  1. Create a Factor Enrollment Policy and assign it to the group.

  2. Set 1 factor as Required (for example, Email Authentication) and leave any other factor that the user should not use for authentication as Disabled.

Required factor

  1. Add a rule to this policy that specifies IF User's IP is In Zone and select the zone previously configured, AND User is accessing Specific applications (add the application this policy applies to in the empty field).

Rule

  1. Create a second Factor Enrollment Policy and assign it to the same group.

  2. Set a different factor as Required (for example: FIDO2(WebAuthn)).

Factor Enrollment

  1. Add a rule to this policy that specifies IF User's IP is AnywhereAND User is accessing Specific applications (add the same application added to the previous policy created).

    In this example, this only applies to a specific application (YouTube App). 

    NOTE: If this configuration is required for all applications, including the Okta Dashboard, then both Okta and Applications should be selected/enabled. 

rule

  1. Set the Application Sign On Policy Rule to Prompt for factor.

  2. After completing these steps, the behavior will be as such:

  • When the user accesses the application using an IP that is part of the zone created (in this case, LegacylpZone), they will meet the requirements of the first Factor Enrollment Policy and will have to authenticate with the factor specific to that policy (in this case, Email Authentication).
  • When the user accesses the application using an IP that is NOT part of the created zone, they will move on to the next policy and thus will have to authenticate with the factor specific to that policy (in this case, FIDO2(WebAuthn)).

  1. Move the first policy created to the top of the enrollment policy list and the second policy directly under this. The enrollment policy works in order of precedence, so the most restrictive should be at the top.

 

NOTE:

  • Multiple factors can be added to the policies, giving the user an option to select which one to authenticate with.
  • This configuration applies to Okta Classic Engine.
  • When a factor is changed from Optional to Required, the users who are not enrolled in that factor will be required to set it up at their next login to the Okta org.
     

Related References

 
 

Recommended content

Still looking for help?
Loading
Configure Factor Enrollment Policies to Set what Factors are Allowed to be Used to Authenticate into an Application