<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Create Explicit Deny Rules for Okta Sign On for Blocklist
Feb 27, 2026
Administration
Okta Identity Engine
Okta Classic Engine
Network Zones
Overview

This article describes how to create explicit deny rules for signing in to Okta using a defined network zone. It clarifies the process for blocking specific Internet Protocol (IP) addresses or dynamic zones from accessing the environment.

Applies To
  • Network Zone
  • Sign on Rule
  • Global Session Policy
Solution

NOTE: Before proceeding with the following steps, create an account that belongs to a group that the Sign On rule and the defined network zone will not impact. This prevents a possible lockout condition that could affect the administrator creating this rule.

Define the Network Zone

  1. Sign in to the Admin Console.

  2. Go to Security > Networks > Add Zone > IP/Dynamic Zone.

  3. Select all required zones for this blocklist or add the required IP addresses to the list.

  4. Click Save.

Steps for Okta Classic Engine

A. Create Deny Rule for Okta Classic Engine

  1. Sign in to the Admin Console.

  2. Go to Security > Authentication > Sign On.

  3. Click Add New Okta Sign-on Policy.

  4. Populate details, click Create policy, and select Add rule.

  5. When the Add Rule window opens, select In Zone under User's IP.

  6. Enter the name for the zone to be blocked.

  7. Select Denied for Access is.

  8. Click Save.

B. Create Allow Rule for Okta Classic Engine

  1. While on the newly created rule, click Add Rule.

  2. When the Add Rule window opens, select In Zone for a defined allow zone or select Anywhere under User's IP.

  3. Select Allowed for Access is.

  4. Select any other options needed to verify an allowed connection further.

  5. Click Save.

  6. Ensure that this rule resides above all other rules, with the Deny rule listed first.

NOTE: All incoming connection attempts from blocked regions will be denied, while allowed regions will cascade down the rules to have the respective rules applied.

Steps for Okta Identity Engine (OIE)

A. Create Deny Rule for Okta Identity Engine (OIE)

  1. Sign in to the Admin Console.

  2. Go to Security > Global Session Policy.

  3. Click Add Policy.

  4. Populate details, click Create policy, and select Add rule.

  5. When the Edit Rule window opens, select In Zone under User's IP.

  6. Enter the name for the zone to be blocked.

  7. Select Denied for Access is.

  8. Click Save.

NOTE: This rule will deny all connections for the defined zone listed in the rule.

B. Create Allow Rule for Okta Identity Engine (OIE)

  1. While on the newly created rule, click Add Rule.

  2. When the Add Rule window opens, select In Zone for a defined allow zone or select Anywhere under User's IP.

  3. Select Allowed for Access is.

  4. Select any other options needed to verify an allowed connection further.

  5. Click Save.

  6. Ensure that this rule resides above all other rules, with the Deny rule listed first.

NOTE: All incoming connection attempts from blocked regions will be denied, while allowed regions will cascade down the rules to have the respective rules applied.

Related References

Recommended content

Still looking for help?
Loading
Create Explicit Deny Rules for Okta Sign On for Blocklist