The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. The upgrade process is blocked if the Email authenticator's Factor Enrollment Policy is set to Optional, and the corresponding feature for optional email enrollment is not active.

• Org Summary - Email Optional Enrollment
• EMAIL_FACTOR_POLICIES
• Upgrade Eligibility: Customer Configuration Required

After Remediation the eligibility will show the updated information below

• EMAIL_OPTIONAL_FACTOR_POLCIES
• EMAIL_FACTOR_POLICIES_OPTIONAL
• Upgrade Eligibility: Consent Required

After the upgrade to Okta Identity Engine, email will not be auto-enrolled as an authenticator unless it is required. See post upgrade section for details.

In Okta Classic Engine, the email factor is able to be marked as an optional factor.

The upgrade to Okta Identity Engine (OIE) is blocked because the configuration for the Email authenticator is incompatible. In OIE, setting the Email authenticator to Optional requires the Enable optional email enrollment for Okta Identity Engine feature to be active. Without this feature, the enrollment policy must be set to either Required or Disabled.

To resolve this upgrade blocker, perform one of the two solutions below.

Option 1: Enable the Feature for Optional Email Enrollment

This option allows the Email factor to remain optional after the upgrade.

1. In the Admin Console, go to Settings > Features.

2. Locate and enable the feature Enable optional email enrollment for Okta Identity Engine.

3. Click the button to Update Eligibility. This transitions the upgrade status to Consent Required.

After the upgrade to OIE is complete with this feature enabled, the following behaviors apply:

• Self-Service Password Recovery:

  • Users are required to enroll in at least one recovery authenticator if Self-Service Password Recovery is enabled.

  • New users must enroll at least one recovery authenticator. If email is the only authenticator allowed, it is automatically enrolled.

• Email Factor Enrollment:

  • Email is no longer automatically enrolled as an authenticator in OIE.

  • If the Email enrollment policy is set to Optional, users created with a password may choose to enroll it upon initial login.

  • If a user is created via an activation link, the email is enrolled when the link is redeemed.

Option 2: Change the Email Factor Enrollment Policy

Use this option if optional email enrollment is not needed or the feature cannot be enabled.

1. In the Admin Console, locate the Authenticator Enrollment Policies that use the Email authenticator.

2. For each relevant policy, change the setting for the Email factor from Optional to either Required or Disabled.

3. After making the change, the Okta Identity Engine upgrade can proceed.

After the upgrade to OIE is complete with this configuration, the Email authenticator enrollment functions as Required, even if it was set to Optional in Classic Engine.

NOTE: Additional Okta features may require reconfiguration or be disabled to complete the upgrade.

For more information, see the documentation on Email as an optional authenticator.

Refer to the following video for additional details.

Related References

• Email as an optional authenticator
• Webinar on YouTube