Cyber Essentials for Okta: configuration guide

Cyber Essentials for Okta: configuration guide

Okta is straightforward to configure for Cyber Essentials v3.3 - enforce MFA with a phishing-resistant factor on every user, require 12-character minimum passwords, configure Authentication Policies that block legacy and low-assurance flows, keep session lifetime ≤ 12 hours, and separate privileged admin accounts with named break-glass access. The common failure is a Global MFA policy that appears to enforce MFA but has a long list of exceptions that silently swallow admin accounts.

1. What Cyber Essentials v3.3 needs from your IdP

• MFA on every account - no exceptions, including service accounts where feasible
• Minimum password length 12 characters, complexity / breach check
• No legacy authentication (basic auth, IMAP, pop, ancient CRM integrations)
• Separate administrative accounts for privileged work
• Session management with idle timeout and re-authentication on sensitive operations

Okta's engineering maps to this with Authenticators, Authentication Policies, and Global Session Policies.

2. Authenticator enrolment

In Security > Authenticators:

• Okta Verify (push / biometric): primary recommended factor
• FIDO2 / WebAuthn: required factor for administrators
• Security Questions: disable
• SMS / Voice: disable or allow only as a fallback enrollment step (NIST has deprecated SMS, and modern Cyber Essentials assessors increasingly expect phishing-resistant factors for admins)
• Password: minimum length 12, complexity rules, breach check on

3. Authentication Policies (per application)

The old "sign-on policies" are gone; Okta now scopes Authentication Policies to app groups.

For every application that touches corporate data:

• Require MFA every time on admin apps (Okta Admin Console, AWS, GCP, Azure portals)
• Require MFA every session on most end-user apps
• Require phishing-resistant factor (FIDO2 / Okta Verify with FastPass) for administrators
• Block unknown devices option for critical apps (Admin Console, financial systems)

Export the Authentication Policy JSON for each app and keep it - it's one of the cleanest evidence artefacts.

4. Global Session Policy

Settings > Authentication > Global Session Policy:

• Maximum Okta session lifetime: 12 hours
• Maximum Okta session idle time: 2 hours
• Require re-authentication on every session (or bounded by the 12-hour maximum)
• Persistent cookies off for untrusted browsers

5. Administrator accounts

• No standing Super Admins beyond 2–3 people. Use Okta's standard delegated admin roles for lower-privilege work.
• Named admin accounts - no shared admin logins
• Separate admin identity for each admin (their everyday user account is not a Super Admin)
• Break-glass account(s) - one or two accounts with Super Admin, FIDO2 hardware keys, excluded from some Authentication Policies to remain accessible if something breaks, credentials sealed and rotation-logged
• IP-restrict admin sessions to office IPs and VPN ranges if feasible

6. ThreatInsight + device trust

Not strictly required by Cyber Essentials but highly recommended:

• ThreatInsight enabled - blocks known-bad IPs from sign-in attempts
• Okta Device Access or Okta FastPass - ties sessions to device posture, strengthens user-access-control evidence
• Device integration via endpoint management (Jamf, Intune, Kandji) for device assurance

7. De-provisioning

Cyber Essentials expects accounts disabled promptly on leaver events.

• Inbound SCIM provisioning from your HR system where possible
• Scheduled (e.g. daily) reconciliation between HR active employees and Okta active users
• Leaver workflow: suspend immediately, delete within 30 days

8. Evidence assessors expect

• Okta Administrator count (must be low) and Super Admin list
• Authentication Policy JSON export for each critical app
• Global Session Policy screenshot
• Authenticator enrolment report (% of users with at least one phishing-resistant factor enrolled)
• User leaver report matched against HR leaver list for last 12 months

9. Common failure points

1. "Require MFA every 7 days" - too permissive for admin apps. Tighten.

2. Password factor without a MFA requirement in one legacy Authentication Policy. Audit every policy.

3. A shared admin account from the original rollout ("sso-admin"). Replace with named admins.

4. SMS as primary factor for the exec team. Migrate to Okta Verify push + FastPass or FIDO2.

5. No break-glass account - you'll regret this the first time a misconfigured policy locks you out. Create two, store keys in the safe.

What Fig checks

Our CE readiness scan reviews Okta configuration via read-only API access, flags gaps in Authentication Policies, MFA enrolment, and admin segregation against v3.3 requirements. Okta-centric organisations pass first-time at >96% after the standard 1-2 fixes.

Start Cyber Essentials - from £299.99 + VAT | Pricing tiers | CE Plus