Use Okta MFA for Azure Active Directory

You can use Okta multifactor authentication (MFA) to satisfy the Azure Active Directory (AD) MFA requirements for your WS-Federation Office 365 app. Use Okta MFA in the following cases:

  • You want Okta to handle the MFA requirements prompted by Azure AD Conditional Access for your Okta-federated domain.
  • You want to enroll your users in Windows Hello for Business. This gives users a single solution for both Okta and Microsoft MFA.

Okta Single Sign-On (SSO) supports the WS-Federation wauth parameter, which defines the required authentication level for sign-in attempts. This allows you to avoid enforcing MFA for all users and require extra authentication only when necessary.

Known issues

Infinite sign-in loop

Users can enter an infinite sign-in loop in the following scenarios:

  1. The Okta sign-on policy is weaker than the Azure AD policy:
    • Neither the Okta nor app sign-on policies require MFA. Okta doesn't prompt the user for MFA. Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim.
    • Sign-on policies don't require MFA when users sign in from within a network zone, but require it from out of the zone. Okta doesn't prompt the user for MFA. Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim.
  2. The user doesn't immediately access Office 365 after authenticating:
    • If the user completes MFA in Okta but doesn't immediately access the Office 365 app, Okta doesn't pass the MFA claim. To get out of the resulting infinite loop, the user must reopen the web browser and authenticate again.

Okta incorrectly sends a successful MFA claim

This happens when the Office 365 app sign-on policy excludes certain users (individuals or groups) from the MFA requirement. Even though the user isn't prompted for MFA, Okta sends a successful MFA claim to Azure AD Conditional Access. Azure AD Conditional Access accepts the Okta MFA claim and allows the user to sign in without requiring them to complete the AD MFA.

Before you begin

Verify that the following prerequisites have been met before proceeding:

  1. Configure an org-level sign-on policy. See Okta sign-on policies.
  2. Configure an app sign-on policy for your WS-Federation Office 365 app instance. See Get started with Office 365 sign on policies.
  3. MFA is configured in your Azure AD instance. See Configure Microsoft Entra multifactor authentication settings.

Start this procedure

Change your Office 365 domain federation settings to enable support for Okta MFA. Complete one of these procedures:

Manually federated domains

  1. In the Admin Console, go to ApplicationsApplications.

  2. Open your WS-Federated Office 365 app.
  3. Click Sign OnView Setup Instructions. The How to Configure Office 365 WS-Federation page appears.
  4. Go to the If your domain is already federated section.
  5. Run either of the following PowerShell commands, depending on your environment:
    • Manually federated domains: Ensure that the SupportsMfa value is True:
      Connect-MsolService
      Get-MsolDomainFederationSettings -DomainName <yourDomainName>
    • Manually federated domains (Microsoft Graph Module): Ensure that the FederatedIdpMfaBehavior value is enforceMfaByFederatedIdp:
      Connect-MgGraph -Scopes Directory.AccessAsUser.All
      Get-MgDomainFederationConfiguration -DomainId <yourDomainName> | Select -Property FederatedIdpMfaBehavior
  6. For the Okta MFA from Azure AD option, select Enable for this application.
  7. Click Save.

Example result: MSOnline

Copy
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True

Example result: Microsoft Graph

Copy
ActiveSignInUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : https://issueruri
SignOutUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
FederatedIdpMfaBehavior: acceptIfMfaDoneByFederatedIdp

Automatically federated domains

  1. In the Admin Console, go to ApplicationsApplications.
  2. Open your WS-Federated Office 365 app.
  3. On the Sign On tab, click Edit.
  4. For the Okta MFA from Azure AD option, select Enable for this application.
  5. Click Save.

Example result: MSOnline

Copy
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True

Example result: Microsoft Graph

Copy
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
SignOutUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
FederatedIdpMfaBehavior: acceptIfMfaDoneByFederatedIdp

Disable this feature

  1. In the Admin Console, go to ApplicationsApplications.

  2. Open your WS-Federated Office 365 app.
  3. On the Sign On tab, click Edit.
  4. For the Okta MFA from Azure AD option, clear the Enable for this application option.
  5. Click Save.
  6. Run either of the following PowerShell commands, depending on your environment:
    • Disable Okta MFA for Azure AD (MSOnline): Ensure that the SupportsMfa setting is false for all domains that were automatically federated in Okta with this feature enabled:

      Set-MsolDomainFederationSettings -DomainName <targetDomainName> -SupportsMfa $false

    • Disable Okta MFA for Azure AD (Microsoft Graph): Ensure that the FederatedIdpMfaBehavior setting is enforceMfaByFederatedIdp for all domains that were automatically federated in Okta with this feature enabled:

      Update-MgDomainFederationConfiguration -DomainId <DomainName> -InternalDomainFederationId (Get-MgDomainFederationConfiguration -DomainId <DomainName> | Select -Property Id).id -FederatedIdpMfaBehavior enforceMfaByFederatedIdp

How this feature works

Okta MFA satisfies Azure AD MFA requirement

Okta passes an MFA claim as described in this table:

Okta org-level MFA Okta app-level MFA Azure AD MFA What happens
Disabled Disabled Enabled Users enter an infinite sign-in loop. To prevent this, configure Okta MFA to satisfy the Azure AD MFA requirement.
Enabled Disabled Enabled Users complete an MFA prompt in Okta. Okta passes the completed MFA claim to Azure AD. Azure AD accepts the MFA from Okta and doesn 't prompt for a separate MFA. The user is allowed to access Office 365.
Disabled Enabled Enabled
Enabled Enabled Enabled

Okta enrolls users in Windows Hello

As a prerequisite, the device must be Hybrid Azure AD or Azure AD-joined. If your org requires Windows Hello for Business, Okta prompts users who aren't yet enrolled in Windows Hello to complete step-up authentication. Users can sign in after they've enrolled in Windows Hello.

Okta helps users enroll as described in this table:

Okta org-level MFA Okta app-level MFA What happens
Disabled Disabled Users enter an infinite sign-in loop. To prevent this, configure Okta MFA to satisfy the Azure AD MFA requirement.
Enabled Disabled Users complete step-up MFA in Okta. After successful enrollment in Windows Hello for Business, users can use it as a factor to satisfy Azure AD MFA.
Disabled Enabled
Enabled Enabled

Related topics

Office 365 sign-on rules options

Get started with Office 365 provisioning and deprovisioning

Plan a Windows Hello for Business deployment (Microsoft documentation)