<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Multi-Factor Enrollment Policy
Nov 4, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview

This article will show how to set up Multi-Factor enrollment policies and rules in the Okta Identity Engine(OIE) to create a specific behavior for users when accessing Okta or a specific application.

Applies To
  • Okta Identity Engine (OIE)
  • Enrollment Policy
  • Authenticators
Solution

Okta provides the option to set up enrollment policies that can determine the factors a user can use when accessing Okta or a specific application.

Review the video or follow the steps below to create a new enrollment policy.



  1. In the Admin Console, go to Security > Authenticators

Authenticators tab

  1. Click the Enrollment tab.

Enrollment tab

  1. To create a policy, click Add a policy to open the Add Policy page.
    • Policy name: Enter a descriptive policy name.
    • Policy description: Describe the elements of the policy.
    • Assign to groups: Enter a predefined group. When text is entered, the group name will auto-complete.
    • Eligible authenticators: The authenticators set up under the Setup tab appear here. Use the dropdown menu to define whether the option is Required, Optional, or Disabled for that group. When an authenticator is disabled in a policy, end users cannot select that authenticator when signing in, regardless of whether they were enrolled in that authenticator before.
  2. Click Create Policy to complete the process.

 

The administrator has the option to select a factor to be:

  • Required: The user must enroll with that factor when that policy is triggered.
  • Optional: The user is allowed to enroll in that factor when the policy has been triggered.
  • Disabled: The user is not allowed to enroll in that factor when that policy is triggered.

NOTE: The enrollment policy will also dictate what factors will be allowed to use when authenticating.
Disabled is not available for authenticators if another policy requires them. 
Required factor 

When setting the enrollment policy rule, the administrator has the option to exclude users from that rule, specify a network zone that the rule applies, in what scenario the rule applies, and if enrollment is allowed or denied.

Edit rule 

They can select the rule to be triggered when accessing Okta, any application, or specific applications.
When the rule should be triggered 


A policy is triggered only if one of the rules of that policy is triggered.
This is commonly used when an administrator wishes to use a specific factor when a user accesses a specific application.

NOTE: The enrollment policy is evaluated every time a user must provide an authenticator during the authentication process, and it comes on top of the authentication policy rules restrictions.
If the enrollment policy does not allow the user to use any factor that can satisfy the authentication policy rule, the System Logs will show the following error, and the user will not be able to access Okta or that specific application: 

 

Access has been denied because the policy requirements could not be satisfied by the users' current set of available authenticator enrollments 


Related References

Recommended content

Still looking for help?
Loading
Multi-Factor Enrollment Policy