Office 365 default sign-on rules

The Office 365 app in Okta has two default sign-on rules. This set of rules is unique to the Office 365 app and ensures that only more secure clients get access to the Office 365 apps. The set contains the following two rules:

Allow Web and Modern Auth

This rule is by default set as number one in priority. It allows only web browsers and apps supporting Modern Authentication to access the Office 365 app. The rule denies access to Exchange ActiveSync and clients using Legacy Authentication. Make this rule more stringent by modifying the Access section of the rule as follows:

  • Specify how frequently the user is prompted to reauthenticate.

  • Require the user to successfully complete the MFA prompt and specify how frequently the user is prompted for MFA.

Catch-all rule

This rule is by default set last in priority. It denies access to all clients from all networks. Neither this rule nor its priority can be modified. This rule acts as a catch-all rule for situations not specifically defined in previous rules.

You can create more sign-on rules and set their priority to match your security needs. Okta evaluates each rule by its priority and applies the first rule that matches. If a user doesn't fall within the scope of a preceding rule (or rules applied globally across the org), they're subject to the Catch-all rule that denies access to Office 365 apps.

Next step

Create Office 365 sign on rules