Hi @Tyler_Harman,
I like other users would like the ability to require MFA only for admins, as most other standard users don’t have enough access to make MFA necessary. When strong authentication is deprecated, you’ve given customers essentially an “all or nothing” choice when it comes to how they want to use MFA. Strong auth might have had its limitations, but the way it was deployed was effective in that it was only triggered when sensitive operations might be invoked.
My thought was that I could assign an AD group automatically if someone has the ORG_ADMIN role in Idn. That way, on the Okta side, I could have a rule to require MFA if someone is in that group.
However, there doesn’t appear to be a way to define role membership based on someone IdN access because that source is not available in the drop-down, despite it showing both as an account and an entitlement on my identity
{
"id": "2c918089801984fc01801a8f981338ad",
"name": "366088",
"accountId": "366088",
"source": {
"id": "2c91808a6f15533b016fabe321da7532",
"name": "IdentityNow",
"type": "IdentityNowConnector"
},
"disabled": false,
"locked": false,
"privileged": false,
"manuallyCorrelated": false,
"entitlementAttributes": {
"assignedGroups": "ORG_ADMIN"
},
"created": "2022-04-11T21:37:39.859Z"
}
{
"id": "2c91808a6f15533b016fabe322107535",
"name": "Administrator",
"displayName": "Administrator",
"type": "ENTITLEMENT",
"description": "Full administrative access to IdentityNow",
"source": {
"id": "2c91808a6f15533b016fabe321da7532",
"name": "IdentityNow"
},
"privileged": false,
"attribute": "assignedGroups",
"value": "ORG_ADMIN",
"standalone": true,
"requestable": false
}