r42cz (r42cz) asked a question.
Is it possible to exclude a group from MFA Policy Rule
I am only able to search for and add specific users when attempting to edit an MFA policy rule. I'd like to be able to exclude by group. Is this possible?
The use case is that I'd like to have an MFA policy apply to all users, except those accounts which are newly created when they are used to login from an IP range. I'm able to populate an AD group based on creation date, but I see MFA policy only applied to a single group, and the rules allow exemption of named users.
So I haven't tested this, but what if you setup a sign on policy that applies to the group you want to exclude for MFA, but the rule does not enforce MFA and is at a higher priority than then your main MFA policy that applies to Everyone?
https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm
“If “Everyone” were on top, special conditions would not apply and a policy evaluation would be unnecessary. If multiple rules are present and the conditions of the first rule are not satisfied, Okta skips this rule and evaluates the following one.”