Multifactor Authentication - OKTA Verify/Microsoft Authenticator

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Team,

I’m working on configuring MFA using an authenticator to sign in to SailPoint Identity Security Cloud.

Use Case:
I need to enforce MFA such that all users can authenticate only using either:

  • Microsoft Authenticator, or

  • Okta Verify

Current Observation:

  • As default - Admins have this enabled, regardless of being configured in Identity Profiles.

  • Based on documentation, Okta Verify appears to be primarily used for:

    • Password reset

    • Account unlock

  • For MFA during login, ISC allows:

    • Google Authenticator

    • Microsoft Authenticator

Concern:
I want to restrict users from using Google Authenticator and allow only:

  • Microsoft Authenticator (preferred), or

  • Okta Verify (acceptable alternative)

Questions:

  1. Is it possible in ISC to restrict MFA methods and allow only specific authenticators (allow only Microsoft Authenticator/OKTA Verify)?

  2. Can Okta Verify be configured as a primary MFA method for login, not just for password reset/unlock?

  3. If not directly supported, what is the recommended approach to enforce this restriction?

    • Through IdP configuration (e.g., Okta / Azure AD)?

    • Or via any ISC-level controls (API)?

Any guidance or best practices would be really helpful.

Thanks in advance!

2

Hi Gokul,

Below answers AFAIK as per my observations:

  1. No—ISC does not natively control or restrict specific MFA authenticator apps (like Google Authenticator vs Microsoft Authenticator).
  2. Yes. If Okta is configured as the IdP, you can set Okta Verify as a primary MFA factor for login by configuring appropriate Sign-On Policies in Okta. ISC will simply delegate authentication to Okta, and whatever MFA policies are enforced in Okta will apply.
  3. If using Azure AD (Microsoft Entra ID) — Use Conditional Access Policies
    If using Okta: Configure Authenticator Enrollment Policies

At last ISC does not provide APIs or configuration to restrict MFA methods

IHTH :slightly_smiling_face:

3

Hi @pkMishra , Thanks for the info. Will check this up and let you know. I think it would be a good one using Azure or OKTA.

4

I would recommend Azure AD as the preferred option, given its strong integration and security capabilities. Okta can be considered as the secondary option, particularly for environments requiring broader multi-platform support.

5

This is generally an IdP-side control rather than an ISC-native control. ISC does not currently give you a clean way to restrict users to a specific authenticator app such as Microsoft Authenticator only, or to explicitly block Google Authenticator at the ISC layer.

If you need to enforce Okta Verify or Microsoft Authenticator specifically, the recommended pattern is to federate authentication through your external IdP and enforce MFA there:

  • use Okta sign-on / authenticator enrollment policies for Okta Verify
  • use Microsoft Entra Conditional Access / authentication method policy for Microsoft Authenticator

In that model, ISC delegates authentication and relies on the MFA decision made by the IdP. So yes, Okta Verify can be your primary MFA factor for login if Okta is the IdP, but not as an ISC-native authenticator control.