"403 Access Forbidden" Error When Accessing the Okta Admin Console
Last Updated:
Overview
Okta returns a 403 Access Forbidden error when the Admin Console authentication policy requires a multi-factor authentication factor that the user cannot satisfy, or when the user does not meet another policy condition. Enrolling the user in the required factors and reviewing the authentication policy resolves the issue.
The user cannot access the Admin Console and sees the following error:
403 Access Forbidden - You don't have permission to access this page.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta
- Admin Console
- Multi-Factor Authentication (MFA)
Cause
Okta blocks access when the Admin Console authentication policy requires a multi-factor authentication factor that the user is not enrolled in, when enrollment was removed, or when the user does not meet another rule condition.
Solution
How is the Okta Admin Console 403 Access Forbidden error resolved?
These steps confirm required factor enrollment in Okta Identity Engine from the End-User Dashboard.
- Sign in to the End-User Dashboard.
- Navigate to Account Settings.
- Authenticate with the necessary required factor, then navigate to Manage security methods.
- Review the Security methods and confirm that the user is enrolled in all factors required by the Okta Admin Console application sign-on policy.
These steps confirm required factor enrollment in Okta Classic Engine from the End-User Dashboard.
- Sign in to the End-User Dashboard.
- Navigate to Account Settings > Edit Profile.
- Enter the password and go to the Extra Verification section.
- Review Extra Verification and confirm that the user is enrolled in all factors required by the Okta Admin Console application sign-on policy.
These steps verify the enrollment policy settings with a different administrator account.
- Sign in to the Okta Admin Console with a different administrator account.
- Go to Security.
- Select Authenticators > Enrollment.
- Review the policy that applies to the administrator group.
- Confirm that the required authentication method is set to Optional or Required so that Okta allows enrollment during the next sign-in attempt.
These steps verify the authentication policy requirements if factor enrollment is already complete.
- Sign in to the Okta Admin Console with a different administrator account.
- Go to Security.
- Navigate to the authentication policy and open the applicable rule.
- Review the rule requirements and confirm that the user meets every condition.
- Confirm that Device management does not block access.
NOTE: If these steps do not resolve the issue, open an Okta Support ticket for further investigation.
