<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008jULhCCAWOkta Identity EngineMulti-Factor AuthenticationAnswered2025-08-29T09:00:28.000Z2023-01-30T14:33:02.000Z2023-02-02T16:46:41.000Z

HelloT.98818 (Customer) asked a question.

January 30, 2023 at 2:33 PM
Require Factors Not being prompted - Identity Engine

I have a user setup with multiple required factors to be enrolled (Identity Engine) but when I login in as that user the factors are not being prompted to be enrolled.

 

Here's the API response for "Factors to Enroll" for that user. (2 factors are REQUIRED and NOT SETUP). I see that in the classic engine there was a dropdown to choose (prompt during every challenge) but none in Identity engine.

 

[

   {

       "factorType": "email",

       "provider": "OKTA",

       "vendorName": "OKTA",

       "_links": {

           "enroll": {

               "href": "https://dev-271xxx.okta.com/api/v1/users/xxxxxxxxxxx/factors",

               "hints": {

                   "allow": [

                       "POST"

                   ]

               }

           }

       },

       "status": "ACTIVE",

       "enrollment": "REQUIRED",

       "_embedded": {

           "emails": [

               {

                   "id": "emf84tyuu3LH7v5B95d7",

                   "profile": {

                       "email": "localadmin1@gmail.com"

                   },

                   "email": "localadmin1@gmail.com",

                   "status": "ACTIVE"

               }

           ]

       }

   },

   {

       "factorType": "sms",

       "provider": "OKTA",

       "vendorName": "OKTA",

       "_links": {

           "enroll": {

               "href": "https://dev-271xxx.okta.com/api/v1/users/xxxxxxxxxxx/factors",

               "hints": {

                   "allow": [

                       "POST"

                   ]

               }

           }

       },

       "status": "NOT_SETUP",

       "enrollment": "REQUIRED"

   },

   {

       "factorType": "push",

       "provider": "OKTA",

       "vendorName": "OKTA",

       "_links": {

           "enroll": {

               "href": "https://dev-271xxx.okta.com/api/v1/users/xxxxxxxxxxx/factors",

               "hints": {

                   "allow": [

                       "POST"

                   ]

               }

           }

       },

       "status": "NOT_SETUP",

       "enrollment": "REQUIRED"

   },

   {

       "factorType": "token:software:totp",

       "provider": "OKTA",

       "vendorName": "OKTA",

       "_links": {

           "enroll": {

               "href": "https://dev-271xxx.okta.com/api/v1/users/xxxxxxxxxxx/factors",

               "hints": {

                   "allow": [

                       "POST"

                   ]

               }

           }

       },

       "status": "NOT_SETUP",

       "enrollment": "REQUIRED"

   }

]

  • 11 answers
  • 1.1K views

  • Paul S. (Okta, Inc.)

    For OIE this is different, as long as one of them is meet, then you will not be prompted.

     

    Selected as Best

  • Paul S. (Okta, Inc.)

    Hello @HelloT.98818 (Customer)​ Thank you for reacting out to our Community!

     

    In this case you might want to check the logs and see which Policy is the users triggering. Also make sure that the user also has an enrolment policy as well as MFA prompt on authentication.

    As OIE is a bit different please see the below doc that should provide the required info to achieve this:

    https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/about-mfa-enrollment-policies.htm

    https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/about-mfa-enrollment-policies.htm

     

    The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

    Community members help others by clicking Upvote or Select as Best on responses. Try it today.

    Expand Post

  • q478i (q478i)

    Hello,

     

    This can be due to the attached policy. Please see if the User type, location, network zone, groups are aligned to the user who is attempting the login.

    System logs can be useful to investigate with.

  • HelloT.98818 (Customer)

    Thanks @Paul S. (Okta, Inc.)​ 

     

    Here's a screenshot of the enrollment policy:

    and the rule attached to the policyimageimage

    Expand Post

    • Paul S. (Okta, Inc.)

      The enrolment policy looks good, however you also need to have a sign on policy that asks for MFA. You need to make sure that is in place as well. Please also review the logs to see what policy applies to the user authentication when he logs in.

  • HelloT.98818 (Customer)

    @Paul S. (Okta, Inc.)​ 

    I think it's looking at "or" for auth enrollments and since email is registered it's not prompting.

    I tried to remove email as a factor in the Auth policy and it did prompt me to enroll for OKTA verify.

     

    But, my question is, shouldn't it force me to enroll in all of the REQUIRED ones even if I have email enrolled?

    Expand Post

  • HelloT.98818 (Customer)

    Created a brand new user to see if that helps but no, it's the same. Doesn't prompt

    • Paul S. (Okta, Inc.)

      For OIE this is different, as long as one of them is meet, then you will not be prompted.

       

      Selected as Best

      • HelloT.98818 (Customer)

        thanks for the reply @Paul S. (Okta, Inc.)​ ,

        So jus to confirm, in OIE: there is no way to force multiple REQUIRED factors to be prompted for enrollment.

        As long as one of the REQUIRED factors is set, the user doesn't see any more prompts.

10 of 11
This question is closed.
Loading
Require Factors Not being prompted - Identity Engine