Okta Policy Evaluation Checklist
Last Updated:
Overview
When Okta policies fail to evaluate as expected, group memberships, rule priorities, and exclusion criteria require verification. The issue typically occurs when users are inadvertently excluded by network zones, behaviors, or incorrect group assignments. Reviewing the policy configuration and authenticator enrollment settings resolves the evaluation failure.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Authentication Policies
Cause
Policy evaluation failures occur when users are missing from the assigned groups, policy rules are ordered incorrectly, or users are inadvertently excluded by specific rule conditions such as network zones or device posture.
Solution
How are Okta policy evaluation failures resolved?
Verify the policy configuration, group assignments, and rule priorities by reviewing the following checklist items.
- Verify that the users are in the group to which the policy applies.
- Confirm that the group applied to the policy is the intended one and that no similarly named group is applied.
- Ensure that the users are assigned to the application if the issue is related to an application sign-on policy.
- Verify that the policy rules are in the correct priority order.
- Check that the policy rules do not inadvertently exclude the users via the Identity Provider (IdP), network zones, behavior, risk, device posture, or custom expression.
- Confirm that the users or groups are permitted to use the required authenticators per the authenticator enrollment policy.
NOTE: Office 365 legacy authentication does not allow Multi-Factor Authentication (MFA) and only accepts a password.
