The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE).

NOTE: Additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. Any org that has an enrollment policy that has Okta Verify Push enabled and Okta Verify OTP disabled is blocked from upgrading.

• Okta Verify
• Multi-Factor Authentication (MFA)

The upgrade is blocked because an authenticator enrollment policy has Okta Verify Push enabled while Okta Verify One-Time Password (OTP) is disabled. This configuration is not valid for the upgrade process.

There are two methods to resolve this issue.

Using the Admin Console

1. In the Admin Console, go to the authenticator enrollment policy that is causing the issue.

2. Edit the policy.

3. Toggle Okta Verify from disabled to enabled.

4. Clear the Push checkbox.

5. Toggle Okta Verify back from enabled to disabled.

6. Select Save.

Using Management Policy API

1. Use the policy management API method GET to endpoint list the enrollment policies:
   https://${yourOktaDomain}/api/v1/policies?type=MFA_ENROLL

2. In the response, locate the policy where the okta_otp setting has a "self": "NOT_ALLOWED" value.

3. In the same policy, verify that the okta_push setting is OPTIONAL or REQUIRED. If both conditions are met, this policy is the cause of the issue.

4. If the identified policy is the Default Policy, modify it using the steps described in the Using the Admin Console section.

Related References

• List all policies API
• Video link