When calling /api/v1/users/userID/factors in a workflow, not all of the Multi-Factor Authentication (MFA) enrollments for that user will be presented in the response. As a test for comparison purposes, run the same API call in Postman and see different results.
- Okta Workflows
- API clients (such as Postman)
- Factors API
- Okta Identity Engine (OIE)
- The Factors API is evaluated by the MFA enrollment policies.
- Items like the MFA factor being disabled in an enrollment policy and a network zone condition can cause different results. This is due to the client IP address of Workflows being different than Postman, which will cause another MFA enrollment policy to be evaluated if the network zone is configured.
Please check if the API option described in List all authenticator enrollments documentation is used. It is recommended to use this call (OIE orgs ONLY, CLASSIC orgs still need to use the FACTORS endpoint):
https://{OktaDomainName}/api/v1/users/{userId}/authenticator-enrollmentsAs part of this new API endpoint, the following need to be GRANTED in the Okta Workflows OAUTH app (the Okta connection will also need to be re-authorized and permissions switched from DEFAULT to CUSTOM, and manually add the scopes):
- okta.authenticators.manage
- okta.authenticators.manage.self
- okta.authenticators.read
If the above call is used and still not all of the MFA enrollments for that user will be presented in the response, please contact Okta support.
