<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Bypass Okta MFA for a Specific Set of Users
May 14, 2026
Multi-Factor Authentication
Okta Identity Engine
Overview

Bypassing Multi-Factor Authentication (MFA) for specific users, such as service accounts, requires leveraging group membership within Okta. To achieve this, create a dedicated user group, assign the exempted users, and configure an Authentication Policy rule that requires only a password or Identity Provider (IdP) for authentication.

Applies To
  • Okta Identity Engine (OIE)
  • Multi-Factor Authentication (MFA)
  • User Groups
  • Service Accounts
Solution

What are the steps to configure an MFA bypass rule for specific users?

 

Watch the following video or follow the instructions below for a step-by-step walkthrough on configuring an MFA bypass rule for specific users.

 

 

Create a dedicated group for the exempted users, assign the users to the group, and configure a high-priority Authentication Policy rule that only requires a password or Identity Provider (IdP) for authentication.

  1. Create a group for users who require an exemption from the MFA policy.
  2. Assign the users who must bypass MFA to the newly created group.
  3. Navigate to the Authentication Policy applied to the application requiring the MFA bypass.
  4. Click Add Rule to create a new rule.
  5. Configure the rule to require no MFA by selecting User must authenticate with Password / IdP.
  6. Apply the rule to the group created in the first step.
  7. Ensure this rule has the highest priority and sits above any rules that require MFA.

 

The following screenshot shows an example of a completed bypass rule:

Configuration

 

 

NOTE: The user or group remains subject to the enrollment policy, and Okta prompts the end user to enroll in any factor required by the policy and applicable to the group. This scenario might require modifying the enrollment policy to make the factors optional or disabled for the specific group.

 

NOTE: In Okta Identity Engine (OIE), password policy configurations might require users to enroll in email or security questions. Additionally, Okta allows users to enroll in Phone or Okta Verify, even if the enrollment policy lists those factors as optional or disabled. Consider this behavior when an organization requires users to avoid enrolling in specific authenticators, even for recovery purposes.

Recommended content

Still looking for help?
Loading
Bypass Okta MFA for a Specific Set of Users