This article explains the behavior and usage of the Okta account management authentication policy. This is another layer of security that can be enforced in Okta Identity Engine (OIE). It controls the Multi-Factor Authentication (MFA) enrollment policy rules. 

• Multi-Factor Authentication (MFA)
• Okta Identity Engine (OIE)
• Administration

If the end-user accounts do not meet the Okta account management policy requirements for MFA factors, enrollment will be denied.

Similar to all other policies configured in the Okta tenant, this policy will evaluate the end-user account based on its policy priority and the requirements listed in the policy (for example, group membership, network zone, device platform, risk scoring).

To avoid issues, please ensure that end users meet the Okta account management policy requirements. Otherwise, the enrollment action will be denied.

• An Okta administrator can verify which end-user enrollment was evaluated by a specific Okta account management policy by navigating to the Okta Admin Console > Reports > System Logs, then using the search query below:

  displayMessage eq "Evaluation of Okta Account Management Policy"

To check the configuration of the Okta account management authentication policy, navigate to Okta Admin Console > Security > Authentication policies. The Okta account management policy will be displayed on the right side of the App sign-in policy.