Secure Office 365 using app sign-on policies

Before you begin

Complete Assign Office 365 to users and groups.

Start this task

The default sign-on rule for Office 365 is different than other apps in Okta. This rule denies access to all clients from any network. It cannot be modified. This prevents clients that use Legacy Authentication from accessing Office 365.

The other Okta-provided rule allows access to only web browsers and apps that support Modern Authentication. Modern authentication is a term for a combination of authentication and authorization methods. These methods can include multifactor authentication (MFA), client certification-based authentication, Azure Active Directory Authentication Library (ADAL), and Open Authorization (OAuth).

You can edit this rule to make it more stringent. Alternatively, you can add another to allow clients using Legacy Authentication (not recommended). For more information about app sign on policies, see Get started with Office 365 sign on policies.

Edit sign-on rule to prompt for MFA

You can edit Allow Web and Modern Auth rule to prompt for MFA.

Prerequisite

Factor types should be enabled before you can use them for the MFA prompt. See Multifactor Authentication .

  1. Go to Office 365 > Sign on > Sign on Policy > Allow Web and Modern Auth rule > Edit.
  2. From the Sign on Rule dialog, go to Actions > Prompt for Factor.
  3. Select the frequency at which you want to prompt the user for MFA when accessing Office 365.
  4. Click Save.

Next step

Office 365