This article will provide a general-purpose checklist for Okta administrators attempting to troubleshoot why various policies in the Okta Admin Dashboard are not being evaluated as expected.

• Authentication Policies

Checklist:

• User(s) are in the Group to which the policy applies.
• The Group applied to the policy is the intended one (confirm no similarly-named group is applied).
• User(s) assigned to the Application (if related to an Application Sign-On Policy).
• Policy Rules are in the correct priority order.
• Policy Rules do not inadvertently exclude the User(s) via:
  • Identity Provider (IdP)
  • Network Zones
  • Behavior
  • Risk
  • Device posture
  • Custom Expression
• User(s) or Group(s) are permitted to use the required authenticators per the Authenticator Enrollment Policy.

NOTE: If using Office 365 legacy authentication, be aware that it does not allow Multi-Factor Authentication (MFA), only a password.