Deny User's Access Based on Behavior Conditions
Nov 19, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview
This documentation provides clarification on why admins might be getting the following error when configuring a Global Session Policy Rule:
We found some errors. Please review the form and make corrections.
Applies To
- Okta Identity Engine (OIE)
- Multi-Factor Authentication (MFA)
- Global Session Policy
- Behavior Detection
- Behavior Conditions
Cause
When setting up a Global Session Policy Rule, access to users cannot be denied based on behavior conditions. This limitation helps to prevent legitimate users from being locked out of their accounts. They are only denied access if Multi-Factor Authentication fails.
Solution
The Global Session Policy Rule needs to be reviewed and checked for any behavior detection conditions since it cannot deny access based on them.
Behavior Detection enables admins to configure when users are required to provide a second form of authentication.
To use Behavior Detection, the following information needs to be specified:
- The type of behavior that needs to be tracked.
- Details about the granularity, scope, or number of previous successful authentications to consider when evaluating user behavior.
