<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Restrict MFA Enrollment to a Specific Zone
Nov 4, 2025
Okta Classic Engine
Multi-Factor Authentication
Overview
This article will show how to restrict enrollment and usage of factors based on a network zone.
Applies To
  • Multi-Factor Authentication (MFA)
  • Factor Enrollment
  • Okta Classic Engine
Solution

In order to restrict MFA Enrollment to only work in a specific zone, two rules have to be created: one to deny enrollment outside of that specific zone (higher priority) and another one to allow enrollment inside the specific zone (lower priority).

NOTE: Adding only one rule that will "allow" enrollment while inside a zone will not "deny" enrollment outside that zone.

The steps to create the enrollment policies to restrict enrollment inside a specific zone are:

  1. Go to Security Multi-Factor/Authenticators and add a new enrollment policy on top of the Default one.

  2. Set up the first rule to allow enrollment in a specific zone.
    Add rule 

  3. Set up the second rule to deny enrollment outside of that specific zone.

  4. Use the dotted line next to the Rule's number to drag the one that denies enrollment to have the higher priority.
    rule priority 

Recommended content

Still looking for help?
Loading
How to Restrict MFA Enrollment to a Specific Zone