Use Okta MFA to satisfy Azure AD MFA requirements for Office 365
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
You can use Okta multi-factor authentication (MFA) to satisfy Azure AD MFA requirements for your WS-Federation Office 365 (O365) appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instance. For example, suppose that your WS-Federation O365 apps are configured with Azure AD Conditional Access policies in O365 (including MFA) to manage access to those apps but you want Okta to handle the MFA requirement. As long as you have also configured either an Okta orgThe Okta container that represents a real-world organization.-level MFA sign on policy and/or an Okta app-level sign on policy for the O365 instance, Okta prompts your end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. for MFA when they access the apps.
You can also use Okta MFA to enroll end usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. into Windows Hello for Business for Azure AD MFA, as detailed below.
Known Issue – Make sure to configure either an app or org level MFA policy in Okta before using this feature. Otherwise, when trying to access an O365 instance that has been configured in Azure AD Conditional Access to require MFA, end users can get stuck in an infinite authentication loop. This is most likely to occur if neither your Okta org nor O365 app instance is configured to prompt for Okta MFA. Because Azure expects Okta to supply the app's MFA requirement, the Okta loading animation spins indefinitely and the end user does not access the app.
- Configure MFA in Okta:
Do either or both of the following, depending on your implementation:
- Configure MFA in Azure AD.
- Enable this feature in Okta's EA Feature Manager (necessary only during the Early Access phase of this feature):
- From the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, go to Settings > Features.
- Click Edit.
- In Early Access Features select Use Okta MFA to satisfy Azure AD MFA requirement.
- Click Save.
- Activate this feature in Okta's Office 365 App Sign On policy (necessary only during the Early Access phase of this feature):
Note: In this step you don't configure any settings, you just click Edit and then Save as described.
- From the Okta Admin Console, go to Applications > Applications.
- Find and click your WS-Federation O365 app.
- Click the Sign On tab.
- Click Edit.
- Click Save.
Okta MFA satisfies Azure AD Conditional Access MFA requirement
If Office 365 is configured with an Azure AD Conditional Access policy that requires MFA, end users trying to access the app are challenged by Okta for MFA to satisfy the Azure AD MFA requirement. Okta then passes the successful MFA claim to Azure AD which accepts the claim and allows access without prompting end users for a separate MFA. Assuming that Azure AD Conditional Access MFA is enabled and Okta MFA is enabled at the org or app level, or both, Okta passes the MFA claim as described in the following table:
|Okta Org-level MFA||Okta App-level MFA||Azure AD MFA||What Happens|
|Disabled||Disabled||Enabled||End users will enter an infinite loop. To prevent this, you must configure Okta MFA in order to satisfy the Azure AD MFA requirement. See Known Issue above.|
|Enabled||Disabled||Enabled||End users complete an MFA prompt in Okta. Okta passes the completed MFA claim to Azure AD. The user is allowed to access O365. Azure AD accepts the MFA from Okta and does not prompt for a separate MFA.|
Prerequisite: The device must be Hybrid Azure AD or Azure AD joined.
If your organization requires Windows Hello for Business, end users who are not enrolled in Windows Hello for Business already are prompted to complete a step-up authentication (e.g. SMS, push) in Okta. After successful enrollment in Windows Hello for Business, end users can use it to log in on the device. Okta will help the end users enroll in Windows Hello for Business as described in the following table:
|Okta Org-level MFA||Okta App-level MFA||What Happens|
|Disabled||Disabled||End users will enter an infinite loop. To prevent this, you must configure Okta MFA in order to satisfy the Azure AD MFA requirement. See Known Issue above.|
|Enabled||Disabled||End users complete a step-up MFA prompt in Okta. Upon successful enrollment in Windows Hello for Business, end users can use Windows Hello for Business as a factor to satisfy Azure AD MFA.|