<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Global Session Policy Rule Set on Deny and Has Behavior or Risk Score as Selected
Nov 10, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview

This article provides information regarding the limitations of the Global Session Policy Rule when "AND Behavior is" or "AND Risk is" is configured and "THEN Access" is set to "Denied".

Applies To
  • Global Session Policy
Cause

"AND Behavior is" or "AND Risk is" is configured, and "THEN Access" is set to "Denied".

Solution

The global session policy cannot be used to deny access to users based on behavior or risk conditions.

Users are only denied access if Multi-Factor Authentication fails.

This limitation helps to prevent legitimate users from being locked out of their accounts.

Recommended content

Still looking for help?
Loading
Global Session Policy Rule Set on Deny and Has Behavior or Risk Score as Selected