<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Create Explicit Allow Rules for Okta Sign On for Allowlist
Feb 27, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Network Zones
Overview

This article clarifies the process for creating explicit allow rules, or an allowlist, for signing on to Okta using a defined network zone. The configuration ensures that login attempts are only permitted from specific zones when the IP addresses to be blocked are unknown.

Applies To
  • Network Zone
  • Sign on Rule
  • Global Session Policy
Solution

NOTE: Before proceeding with the following steps, create an account belonging to a group that the Sign On rule and defined network zone will not impact. This prevents a possible lockout condition that could affect the administrator creating this rule.

Define the Network Zone

  1. Sign in to the Admin Console.

  2. Go to Security > Networks > Add Zone > IP/Dynamic Zone.

  3. Select all required zones for this blocklist or add the required IP addresses to the list.

  4. Click Save.

Steps for Okta Classic Engine

A. Create a Deny Rule

  1. Sign in to the Admin Console.

  2. Go to Security > Authentication > Sign On.

  3. Click Add New Okta Sign-on Policy.

  4. Enter the policy details, click Create Policy and Add Rule.

  5. In the Add Rule window, under User's IP is, select Anywhere.

  6. Enter the name for the zone to be blocked.

  7. For Access is, select Denied.

  8. Click Save.

NOTE: This rule will Deny all connections for anyone from this group accessing the tenant.

B. Create an Allow Rule

  1. Click Add Rule within the newly created policy.

  2. In the Add Rule window, under User's IP is, select In Zone and choose the defined allow zone.

  3. For Access is, select Allowed.

  4. Select any additional options required to verify the connection.

  5. Click Save.

  6. Ensure this allow rule is ranked above the deny rule.

NOTE: All incoming connection attempts will be evaluated based on the Group membership of the user and if the IP matches the defined IP, access will be allowed, however if the IP does not match, the logic will cascade down to the deny rule. 

Steps for Okta Identity Engine (OIE)

A. Create a Deny Rule

  1. Sign in to the Admin Console.

  2. Go to Security > Global Session Policy.

  3. Click Add Policy.

  4. Enter the details, click Create Policy and Add Rule.

  5. In the Edit Rule window, under User's IP is, select Anywhere.

  6. Enter the name for the zone to be blocked.

  7. For Access is, select Denied.

  8. Click Save.

NOTE: This rule will Deny all connections for anyone from this group accessing the tenant.

B. Create an Allow Rule

  1. Click Add Rule within the newly created policy.

  2. In the Add Rule window, under User's IP is, select In Zone and choose the defined allow zone.

  3. For Access is, select Allowed.

  4. Select any additional options required to verify the connection.

  5. Click Save.

  6. Ensure this allow rule is ranked above the deny rule.

NOTE: All incoming connection attempts will be evaluated based on the Group membership of the user and if the IP matches the defined IP, access will be allowed, however if the IP does not match, the logic will cascade down to the deny rule. 

Related References

Recommended content

Still looking for help?
Loading
Create Explicit Allow Rules for Okta Sign On for Allowlist