This article discusses best practices for leveraging group membership to bypass Multi-Factor Authentication (MFA) for a set of users.

• Service Accounts or Users that should be exempted from MFA
• Multi-Factor Authentication (MFA)
• Utilizes User Groups
• Okta Identity Engine (OIE)

To create a bypass MFA rule, a group is needed to apply the authentication rule in order to follow the steps or video below.

1. Create a group for users who should be exempt from the MFA policy.
2. Assign the users who are required to bypass MFA.
3. Navigate to the Authentication Policy that is applied to the application, bypassing MFA.
4. Click on Add Rule and add a new rule where there is no MFA requirement by having User must authenticate with Password / IdP, then apply it to the group created in Step 1. 
5. Ensure this rule is the top priority rule and is above the ones that require MFA. 

The configuration will look similar to the following:
 

NOTE:

• The user/group is still subject to the enrollment policy, and the end user will be asked to enroll in any factor that is set as required in the enrollment policy and applicable to the group. This can require changes in the enrollment policy and setting the factors to optional or disabled for the group in question.
• In OIE, password policy configurations may require users to enroll in email or security questions. Additionally, users will be given the option to enroll in Phone or Okta Verify, even if they are selected as optional or disabled in the enrollment policy. It is important to remember that when an organization does not want users to enroll in specific authenticators, even if they are only for recovery.