
wgk8b (wgk8b) asked a question.
Is there any way to prevent a user of Okta from changing their own factors, and allowing only admins in Okta that privilege?
For instance, can you prevent somebody from going into their account and removing say the push factor, but allowing a support person to do this? It may be an odd question, but just thinking if somebody was able to pwn a user via mfa fatigue, this would prevent them from changing the users factor to their own device. They would need to call the support center then an Okta admin with correct privilege would be able to unenroll the factor and walk them through re-enrolling it.
I do understand it would cause an uptick in support center calls and possible user disappointment with delays setting up factors for replaced devices.

The only way I can think you could do that is to block access to the Profile management pages in the Okta Dashboard, which is where the user would manage that change. Not something I've tried, but you can have a custom page defined for that under Customizations -> Other and then User Accounts. You could either send them to a static page with a message on it, or roll your own functions to allow them to manage the things you want them to be able to manage.
There may be other ways, but those would also block the Dashboard from being seen which may not be beneficial 🙂
Thanks, will check that out.