Use Okta MFA to satisfy Azure AD MFA requirements for Office 365

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .

You can use Okta multi-factor authentication (MFA) to satisfy Azure AD MFA requirements for your WS-Federation Office 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instance. For example, suppose that your WS-Federation Office 365 apps are configured with Azure AD Conditional Access policies in Office 365 (including MFA) to manage access to those apps but you want Okta to handle the MFA requirement. As long as you have also configured an Okta orgThe Okta container that represents a real-world organization.-level MFA sign on policy and/or an Okta app-level sign on policy for the Office 365 instance, Okta prompts your end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. for MFA when they access the apps. You can also use Okta MFA to enroll end users into Windows Hello for Business for Azure AD MFA, as detailed below.

 

Warning

Do not add exclusions to the MFA in sign-on policies

We recommend that you set up Office 365 sign-on policy in Okta to require all end users to set up the MFA. If the policy excludes certain end users (either individuals or groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.) from the MFA requirement in certain situations (for example, when they are in network), they can encounter either of the following situations while enrolling in Windows Hello for Business:

1. They can enter an infinite authentication loop.

This happens if the org-level sign-on policy excludes the user from the MFA requirement and the Office 365 sign-on policy is not set up to prompt for an MFA.

In this case, the user is not prompted for the MFA. Therefore, they cannot complete the authentication process and Okta cannot send the completed MFA claim to Azure AD Conditional Access. Since Azure AD Conditional Access is set up to accept the Okta MFA claim to allow the user to sign in, the user gets stuck in the infinite authentication loop.

2. They can skip the MFA and still enroll in Windows Hello for Business.

This happens when the Office 365 sign-on policy excludes certain end users from the MFA requirement.

In this case, the user is not prompted to set up the MFA. However, Okta sends the completed MFA claim to Azure AD Conditional Access as the policy is set up to allow this user to sign in without completing the MFA. Azure AD Conditional Access accepts the Okta MFA claim and allows the user to complete the enrollment process without requiring them to set up the MFA.

Make sure to configure either an app- or org-level MFA policy in Okta before using this feature. Otherwise, when trying to access an Office 365 instance that has been configured in Azure AD Conditional Access to require MFA, end users can get stuck in an infinite authentication loop.

This is most likely to occur if neither your Okta org nor Office 365 app instance is configured to prompt for Okta MFA. Because Azure expects Okta to supply the app's MFA requirement, the Okta loading animation spins indefinitely and the end user cannot access the app.

Procedure

  1. Configure MFA in Okta.

    Do either or both of the following, depending on your implementation:

    1. Configure an org-level sign on policy as detailed here.
    2. Configure an app sign on policy for your WS-Federation Office 365 app instance as detailed here.
  2. Configure MFA in Azure AD.
  3. Enable Office 365 Pass Claim For MFA feature in Okta EA Feature Manager (necessary only during the Early Access phase of this feature).
    1. From the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, go to Settings > Features > Early Access Features > Edit.
    2. Select the feature.
    3. Click Save.
  4. Change the Office 365 domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). federation settings to enable the support for Okta MFA.

    1. If you've manually federated the domain, run the updated federation script from under the Setup Instructions:

      1. From the Okta Admin Console, go to Applications > Applications.
      2. Open your WS-federated Office 365 app.
      3. Click the Sign On tab > View Setup Instructions.
      4. Copy and run the script from under the If your domain is already federated section.

       

    2. If you've chose to let Okta configure the federation settings for you:

      Note

      In this step you don't configure any settings, you just click Edit and then Save as described.

      1. From the Okta Admin Console, go to Applications > Applications.
      2. Open your WS-Federated Office 365 app.
      3. Click the Sign On tab > Edit > Save.

How it works

Okta MFA satisfies Azure AD Conditional Access MFA requirement

If Office 365 is configured with an Azure AD Conditional Access policy that requires MFA, end users trying to access the app are challenged by Okta for MFA to satisfy the Azure AD MFA requirement. Okta then passes the successful MFA claim to Azure AD which accepts the claim and allows access without prompting end users for a separate MFA.

Assuming that Azure AD Conditional Access MFA is enabled and Okta MFA is enabled at the org or app level, or both, Okta passes the MFA claim as described in the following table.

Okta Org-level MFA Okta App-level MFA Azure AD MFA What Happens
Disabled Disabled Enabled

End users will enter an infinite loop. To prevent this, you must configure Okta MFA in order to satisfy the Azure AD MFA requirement.

See the Warning above.

Enabled Disabled Enabled End users complete an MFA prompt in Okta. Okta passes the completed MFA claim to Azure AD. The user is allowed to access Office 365. Azure AD accepts the MFA from Okta and does not prompt for a separate MFA.
Disabled Enabled Enabled
Enabled Enabled Enabled

 

Okta enrolls users in Windows Hello for Business

Prerequisite: The device must be Hybrid Azure AD or Azure AD joined.

If your organization requires Windows Hello for Business, end users who are not enrolled in Windows Hello for Business already are prompted to complete a step-up authentication (e.g. SMS, push) in Okta. After successful enrollment in Windows Hello for Business, end users can use it to log in on the device. Okta will help the end users enroll in Windows Hello for Business as described in the following table.

 

Okta Org-level MFA Okta App-level MFA What Happens
Disabled Disabled

End users will enter an infinite loop. To prevent this, you must configure Okta MFA in order to satisfy the Azure AD MFA requirement.

See the Warning above.

Enabled Disabled End users complete a step-up MFA prompt in Okta. Upon successful enrollment in Windows Hello for Business, end users can use Windows Hello for Business as a factor to satisfy Azure AD MFA.
Disabled Enabled
Enabled Enabled

 

Related topics

From Okta

Multifactor Authentication

From Microsoft

Enable MFA

Windows Hello for Business

Top