We are in an AD-Okta sync environment, where users are created in AD and synced over. We recently moved over to OIE, from Classic. Previously we had zero issues with First time log in experience. With OIE, users emails are automatically enrolled as a form of authentication. The problem here is we use O365 as our email suite, which also requires MFA. So if we have any user who we onboard remotely, they would sent an email code as a form of authentication because they are automatically enrolled however they don't have access to that email.

I set up an authentication policy that is suppose to exclude Email or Phone and the enrollment rule set to require Okta Verify or Google Authentication if one isn't set up. It appears that the only way around this is to remove Email as an authentication option entirely for the whole organization and only allow it to be used as a recovery option.

We want to continue to use email as an optional form of authentication because some users do utilize it and from what I understand it is necessary for those who wish to go password-less. The moment I set email to recovery only, the user is prompted to set up Okta verify. But if email is set allow to be used as an authentication option, their only choice is to send an MFA code to the email they don't have access to.

Is there any way to remove this auto enrollment feature for email? It seems like quite the oversite when it comes to firms who are onboarding remote users who won't have access to the email it is auto enrolling them into, until they are able to set up other authenticators such as Okta or Google Auth.