To exclude specific users from location-based deny policies, configure a dynamic network zone in Okta without the block access setting enabled, and apply a deny rule within the authentication policies that explicitly excludes the required users.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Security
• Network Zones

How can Administrators add a dynamic zone to block specific countries from accessing the Okta organization?

Create a dynamic network zone to define the countries that require blocking by navigating to the network security settings.

1. Navigate to the Admin Console.
2. Go to Security > Networks.
3. Click Add Zone > Dynamic Zone.
4. Define the countries that require blocking.

How does the block access setting affect policy evaluation?

The behavior of the dynamic zone depends on whether the block access setting is enabled or disabled.

• If the Block access from IPs matching conditions listed in this zone checkbox is selected, clients from the blocked countries network zone cannot access any URL for the organization. Okta automatically blocks requests before any policy evaluation occurs, preventing access to the login screen.
• If the Block access from IPs matching conditions listed in this zone checkbox is cleared, clients from the blocked countries network zone can access the URL for the organization. Okta evaluates the requests based on the policy after the username is entered, allowing access to the login screen.

What are the steps to exclude users from location-based deny policies in Okta Identity Engine (OIE)?

To exclude specific users in Okta Identity Engine, clear the block access checkbox in the dynamic zone and add a deny rule to the applicable Global Session Policies.

1. Clear the Block access from IPs matching conditions listed in this zone checkbox in the dynamic zone.

2. Add a rule to the top of each applicable Global Session Policy to deny the blocked countries' network zone when Okta first evaluates the policies.
3. Exclude the required users from this deny rule.

NOTE: While blocked countries can access the login screen using this method, Okta denies access if the username is not excluded from the deny policy. Update the Default Policy, as it applies to everyone, along with any other applicable policies. 

What are the steps to exclude users from location-based deny policies in Okta Classic Engine?

To exclude specific users in Okta Classic Engine, clear the block access checkbox in the dynamic zone and create a new sign-on policy with a deny rule.

1. Clear the Block access from IPs matching conditions listed in this zone checkbox in the dynamic zone.

2. Navigate to Security > Authentication > Sign On.
3. Click Add New Okta Sign-on Policy.
4. Enter Block Blocklisted Countries in the policy name field.
5. Enter a policy description.
6. Assign the policy to Everyone.
7. Click Create policy and then click Add rule.
8. Enter Block blocklisted countries in the rule name field.
9. Exclude the required users individually, as Okta does not support adding groups for this exclusion.
10. Select In zone for the If the User's IP is dropdown menu.
11. Select Blocklisted Countries for the Zone dropdown menu.
12. Select Denied for the THEN Access is dropdown menu.
13. Click Create rule.
14. Drag the rule to the top of the list.

Related References

• Blocklist network zones
• Create Explicit Deny Rules for Okta Sign On for Blocklist