TimO.56478 (Customer) asked a question.
We have two authentication sign on rules.
All application rules are default settings. (anywhere/any client)
O365 Federated with Okta.
The default sign-on rule allows pass through authentication via IWA inside the gateway (no MFA) but blocks access outside the gateway.
2nd sign-on rule allows group members to authenticated outside the gateway with MFA enforced, which uses Okta verify.
When a user gets a new mobile device we receive a quarantine notification in O365 and once we clear that device there is no further check.
When using a modern auth app/requirement, users are required to use Okta verify for MFA and as long as they are in the group, it works properly but, it also allows them to access their Okta page and all other apps on that page, when all we want them to access is email. It also requires us to put them/take them out of the group whenever their oAuth token expires.
We also have a SAML enabled app (Jive for telephony) that has the same requirement in that we must move people in/out of the group for them to authenticate on their phones.
I'm hoping there is a better way to accomplish this- that we have missed something. Having everyone always in the group that allows outside gateway access is, unfortunately, not an option.
You could create multiple sign on policies in the O365 apps, stating if the platform is iOS/Android and not in zone or in zone, MFA is enforced or not enforced. Keep in mind the you can assign sign on policies to each app in addition to the org. Is this what you were looking for?
Thank you for the suggestion. Unfortunately, the org sign-on rules seem to take precedence over the app rules. I did also submit this to Okta support and they indicated that what we were wanting to do - limit mobile access outside the gateway to email only, wasn't possible. Once we put them in the outside gateway group (org sign-on policy) they can access any/all applications on their Okta dashboard.
If they are not in that group, the app specific sign-on policy for outside the gateway does not work - they are denied.
It sounds like you just need to remove the MFA policy for external at the global level. Just place it at the app level for those apps you want external to access and MFA. Then youll need to create app access policies to block all external access. Users externally will be able to log in to the dashboard, but will error on blocked apps. Kind of messy when you have a good number of apps though.
Very messy and problematic to maintain with over 50 company sponsored sites. Throw in that we let users create / add their own logins to sites that we cannot restrict this way and it is untenable, but I appreciate the input. We did consider it.