<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000078bnVqCAIOkta Classic EngineAuthenticationAnswered2026-05-28T15:53:18.000Z2021-08-24T15:37:55.000Z2026-05-28T15:53:18.000Z

  • Mihai N. (Okta, Inc.)

    UPDATING THIS POST TO REFLECT NEW FEATURES/INFORMATION:

    Okta has since introduced Dynamic Zones

     

    Steps to Implement:

    1. Create a Network Zone for the US:

    • Navigate to Security > Networks in the Okta Admin Console.
    • Click Add Zone > Dynamic Zone.
    • Name the zone (e.g., "US Only").
    • Under Locations, check the box for United States.
    • Save the zone.

    2. Create a Deny Policy for all other locations:

    • Navigate to Security > Global Session Policy (or specific Authentication Policies, depending on your Okta Identity Engine setup).
    • Select your active policy and click Add Rule.
    • Under the Network or Location condition, set User's IP is to Not in zone.
    • Select the "US Only" zone you just created.
    • Under the Actions section, set Access to Denied.
    • Save the rule and ensure it is placed at the top (highest priority) of your policy rules.

     

     

    Regards.

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Just released: More Okta Community badges just added

    Expand Post
    Selected as Best

  • User16254393570754125507 (Okta)

    Hello @RomeoB.30073 (Customer)​ 

     

    Okta has a feature flag that can help with Geo-Location blocking. This feature will prevent access from any other country than the one selected for access. 

     

    I have also added our documentation on 'Networks' and 'Zones' for review if needed.

     

    https://help.okta.com/en/prod/Content/Topics/Security/Security_Network.htm

     

    https://developer.okta.com/docs/reference/api/zones/?_ga=2.193038315.794417587.1629733398-1771028757.1629733398#zone-model

     

    Regards,

     

    Natalia

    Okta Inc.

     

    Expand Post

  • rp21e (rp21e)

    Hello @User16254393570754125507 (Okta)​ and @RomeoB.30073 (Customer)​ ,

     

    I have been looking for a solution to the same question (changing US for Spain, but same logic), and even opened a case about it.

    I have been told that there is no other option to achieve it rather than creating a blocklist zone and populate it with all the countries to block, one by one, and skip including the desired-allowed one (US or Spain).

    This is certainly embarrasing and very difficult to manage (imagine geo-political changes).

     

    I was hoping to find some kind of "ALL" button, with another box to exclude, like in many other Okta features.

    What is the Flag you mentioned? How should we proceed to block every country but one?

     

    Thanks,

    Álvaro Camina

     

     

    Expand Post

  • Mihai N. (Okta, Inc.)

    UPDATING THIS POST TO REFLECT NEW FEATURES/INFORMATION:

    Okta has since introduced Dynamic Zones

     

    Steps to Implement:

    1. Create a Network Zone for the US:

    • Navigate to Security > Networks in the Okta Admin Console.
    • Click Add Zone > Dynamic Zone.
    • Name the zone (e.g., "US Only").
    • Under Locations, check the box for United States.
    • Save the zone.

    2. Create a Deny Policy for all other locations:

    • Navigate to Security > Global Session Policy (or specific Authentication Policies, depending on your Okta Identity Engine setup).
    • Select your active policy and click Add Rule.
    • Under the Network or Location condition, set User's IP is to Not in zone.
    • Select the "US Only" zone you just created.
    • Under the Actions section, set Access to Denied.
    • Save the rule and ensure it is placed at the top (highest priority) of your policy rules.

     

     

    Regards.

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Just released: More Okta Community badges just added

    Expand Post
    Selected as Best
This question is closed.
Loading
Geographical Black Listing