This article explains why certain enrolled Multi-Factor Authentication (MFA) factors do not appear in the response to an API call, even when they are visible in the user profile in the Admin Console.
The issue occurs when performing the following GET request to retrieve a list of factors for a specific user:
{{url}}/api/v1/users/{{userId}}/factors
While the user appears to be enrolled in factors like phone, call, or SMS in the MFA Report or the Reset Authenticators menu, these factors are missing from the API output.
- MFA API
- Multi-Factor Authentication (MFA)
- Enrollment Policies
- Okta Identity Engine (OIE)
The factors are missing from the API response because the enrollment policy was changed after the user enrolled. If a factor is currently disabled in the active enrollment policy, the API does not return it in the list of enrolled factors, even if the user has a legacy enrollment.
To resolve this issue, verify and update the enrollment policy settings:
- Sign in to the Okta Admin Console.
- Go to Security > Authenticators > Enrollment policy.
- Locate the enrollment policy applied to the affected user.
- Check if the missing factors are set to Disabled.
- To make the factors visible in the API response, change the factor requirement to Optional or Required.
- Select Save to apply the changes.
