The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). The upgrade process is blocked if the Email authenticator’s Factor Enrollment Policy is set to Optional and the Enable optional email enrollment for Okta Identity Engine feature is not enabled.

NOTE: Additional Okta features may require reconfiguration or be disabled in order to complete the upgrade.

• Org Summary - Email Optional Enrollment
• EMAIL_FACTOR_POLICIES
• Upgrade Eligibility: Customer Configuration Required

After Remediation the eligibility will show the updated information below

• EMAIL_OPTIONAL_FACTOR_POLCIES
• EMAIL_FACTOR_POLICIES_OPTIONAL
• Upgrade Eligibility: Consent Required

After the upgrade to Okta Identity Engine, email will not be auto-enrolled as an authenticator unless it is required. See post upgrade section for details.

In Okta Classic Engine, the email factor is able to be marked as an optional factor.

The upgrade to Okta Identity Engine (OIE) is blocked because the configuration for the Email authenticator is incompatible. In OIE, setting the Email authenticator to Optional requires the Enable optional email enrollment for Okta Identity Engine feature to be active. Without this feature, the enrollment policy must be set to either Required or Disabled.

To resolve this upgrade blocker, perform one of the two solutions below.

Option 1: Enable the Feature for Optional Email Enrollment

This option allows the Email factor to remain optional after the upgrade. Once the feature is enabled, it offers two per-policy controls so admins can decide, policy by policy, how email is handled for both authentication and recovery.

1. In the Admin Console, go to Settings > Features.

2. Locate and enable the feature Enable optional email enrollment for Okta Identity Engine.

3. Select Update Eligibility. This transitions the upgrade status to Consent Required.

Per-policy controls offered by the feature

Once the feature is enabled, two new per-policy settings become available. Each is configured independently per policy, so admins can target specific user populations precisely.

• Auto-enroll Email as an Authenticator — configured in each Authenticator Enrollment Policy where the Email factor is set to Optional. Path: Security > Authenticators > Enrollment > edit the policy.

  • When selected: the user’s primary email is auto-enrolled as an authenticator at the next opportunity, using the account profile.

  • When cleared: email is not auto-enrolled. Users may choose to enroll it later, or be enrolled via an activation link.

• Auto-enroll Email for Recovery — configured in the Password Recovery Policy rule. Path: Security > Authenticators > Setup > (next to Password) Actions > Edit > under Rules, edit the rule > under Access Control, enable This Rule (legacy) and Email.

  • When selected: recovery messages can be sent to unverified email addresses (mirrors Okta Classic recovery behavior).

  • When cleared: recovery messages are restricted to verified addresses.

  • NOTE: Secondary email is governed by a separate global control.

Default values applied during upgrade

The defaults are applied per policy during the Classic-to-OIE policy migration so that end-user experience does not change at the moment of upgrade.

• Orgs upgrading from Okta Classic Engine: Auto-enroll Email as an Authenticator defaults to OFF; Auto-enroll Email for Recovery defaults to ON. These defaults preserve Classic-era behavior.

• Orgs already on OIE before the feature became available: existing behavior is preserved when the feature is enabled.

Admins can change either control on any policy at any time after the upgrade.

Self-Service Password Recovery considerations

• Users are required to enroll in at least one recovery authenticator if Self-Service Password Recovery is enabled.

• New users must enroll at least one recovery authenticator. If email is the only authenticator allowed, it is automatically enrolled.

Option 2: Change the Email Factor Enrollment Policy

Use this option if optional email enrollment is not needed or the feature cannot be enabled.

1. In the Admin Console, locate the Authenticator Enrollment Policies that use the Email authenticator.

2. For each relevant policy, change the setting for the Email factor from Optional to either Required or Disabled.

3. After making the change, the Okta Identity Engine upgrade can proceed.

After the upgrade to OIE is complete with this configuration, the Email authenticator enrollment functions as Required, even if it was set to Optional in Classic Engine.

NOTE: Additional Okta features may require reconfiguration or be disabled to complete the upgrade.

For more information, see the documentation on Email as an optional authenticator and Make email optional.

The following video demonstrates the complete remediation process, including enabling the optional email enrollment feature and configuring the per-policy email enrollment and recovery controls.

Related References

• Email as an optional authenticator
• Make email optional
• Webinar on YouTube