OktaapiS.13210 (Customer) asked a question.
I am configuring MFA for some of our accounts. I have defined a specific group that should have MFA. We have selected Email Authentication as the only factor. This part is straightforward. For Factor Enrollment I created a new policy and selected the group and the email factor as required. Also created a rule with IP anywhere, Okta and application checked and Any application that supports MFA enrollment was selected. Additionally, enroll in multi-factor was set to first time user signs in. I initially assumed that this would trigger MFA for the users within the specific group. It did not. I added another policy under authentication/signOn. Again I repeated that this policy only applied to the specific group I've mentioned. And Again I created a rule that selects the "required" radio button for MFA. After adding the Sign-on policy, MFA worked as expected. My main question is: I'm unclear of the relationship between these 2 policies. Is it necessary to select the intended group for both the MFA enrollment policy and the sign-on policy? Seems that the sign-on policy carries more weight in the setup. Thanks for any help or perhaps my approach is simply wrong.
Hi @OktaapiS.13210 (Customer) , Thank you for reaching out to the Okta Community!
Just to build up on what Hengfeng said, the MFA enrollment and the use of MFA for authentication are two distinct operation which are more or less independent of each other.
In short:
- With the MFA Enrollment Policies - you define who, under what condition and what factor type needs to be enrolled, so the users have it set up for future use.
- With Sign-on Policies - you define if/what/under what condition MFA is being used when signing in.
You can use the same groups or not depending on your requirements, but it’s not necessary to use the same groups.
For example:
- you can have all Employees enroll with Okta Verify to have it ready for future deployments of sensitive application access, but only have your Admins use it on a regular basis until then due to their privileged access.
- you can have all Employees enroll with Okta Verify, then have the Admins use it all the time, and the less privileged users don’t need it in the office but have to use it only when working from home on an unmanaged network.
About Authenticator(MFA) Enrollment Policies:
https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-mfa-enrollment-policies.htm
About Sign-on Policies:
https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-policies.htm
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Ask the Experts: Now Thru 1/31 Okta FastPass Engineering and Product Teams Answer Your Questions