DavidG.45424 (Customer) asked a question.
Have 3 authentication policies.
1. Legacy policy: Applies to Okta
2. Active directory policy: Applies to AD
3. Default policy: Applies to Okta
If a user is created in Active directory, we can see within the logs that they adhere to policy *2. We have them log into Okta for the first time and setup MFA. After the setup we notice that some user accounts continue to use the AD policy *2(expected since accounts are mastered by AD) whereas other user accounts begin using the default policy *3.
Additionally, if a user account is created within Okta, they adhere to the default policy *3 rather then *1.
My question, is there a specific moment in time when a users account begins using a different authentication policy? Is it possible to enable users to use different policies? (i.e. user begins with the AD policy, then after some action, will begin to use the Default policy)
Are you referring to authentication password policies or authentication sign on policies? It sounds like your talking about sign on policies which would be assigned to groups and not authentication providers. If you talking about password policies, why not get rid of the legacy policy and use the default policy instead for Okta mastered users. Do you have each password policy assigned to Everyone?
Expanding on JohnPaul's response, and assuming that you're referring to your Password policies (under Security -> Authentication)...
Do you need more than one password policy for Okta-mastered accounts? I recall Okta creating those Legacy policies a few years ago, as part of a system upgrade. It doesn't sound like any of your users are being assigned to that Legacy policy. If it's not in use, then just make sure that your Default policy (#3), which is assigned to the Everyone group and cannot be changed, is configured to your liking, then delete (or deactivate) that Legacy (#1) policy. That'll leave you with just one policy for AD-mastered users and one for everyone else.
Next, on your Active Directory password policy, make sure that Assign to groups is set to use the Everyone group. This ensures that all Active Directory-mastered users will be assigned to this policy every time they sign in. Okta-mastered users will skip over this policy and be assigned to the Default policy, again, every time they sign in.
So, at this point, you have two policies, both assigned to Everyone, with each targeting a specific type of user (AD vs Okta). All AD-mastered accounts will use the AD policy, and all Okta-mastered accounts will use the Default policy.
In this scenario, the only way an AD-mastered user would ever get to the Default password policy would be if their Okta account was disconnected from Active Directory.