The article addresses a situation where at least one Factor Enrollment Policy is set to Do Not Enroll. This condition can prevent account activation and block password enrollment for accounts created without a password after an upgrade. The problem is that the Identity Engine policy can prevent activation.
NOTE: This situation does not apply to accounts that use inbound federation only, as the federation is the knowledge factor by default.
- FACTOR_ENROLLMENT_POLICY_DO_NOT_ENROLL
- Upgrade Eligibility: Customer Consent Required
- Factor Enrollment Policy set to "Do No Enroll"
- Detected a Factor Enrollment Policy is currently set to “Do No Enroll”. If an account is created without a password, post upgrade the Identity Engine policy can prevent activation, blocking password enrollment.
- Okta Identity Engine (OIE)
In the Classic engine, the password factor was implied to ALWAYS be REQUIRED. When an account was created without a password, the user would be guided through enrollment during the activation flow, regardless of the policy.
In the Identity Engine (OIE), the password can be OPTIONAL, meaning there are no implied required factors or authenticators.
An administrator must perform one of the following options prior to the upgrade:
-
Change the rule so that Factor Enrollment is set to Allowed if required authenticators are missing.
-
Change the Classic rule to any option other than Do Not Enroll.
-
Create the user with a password to fulfill the enrollment requirements.
-
Do nothing because inbound federation creates the impacted user accounts.
