Timd.42128 (Customer) asked a question.
Exclude MFA for federated user
Hi,
I've created a sign-on policy to disable the requirement for MFA for certain groups. This seems to work for a new user that has this group attached, but for users that I've changed from a Okta user to a FEDERATED user, somehow the Okta MFA still triggers. I've removed the already existing MFA from the user, however Okta is still asking to add back an MFA method.
I've followed below links to ensure that external Okta users are converted to federated users and that they are excluded from Okta MFA, so they don't have to MFA twice.
https://help.okta.com/en-us/content/topics/security/policies/configure-app-signon-policies.htm
Any help would be appreciated.
And maybe as an additional add-on what I see back in the logs for this specific user;
That 4th point should not have been triggered. Since we have a policy that disabled the requirement for MFA, it should just skip that.
I'm guessing this is caused by another policy that is set as a higher priority. Expand your log events for "Evaluation of sign-on policy" and look for "Target --> DisplayName" and see if that gives you any clues. Renaming your policy rules might help if you have multiple ones named "default" so you know exactly what one is being triggered in the logs.