Use Okta MFA for Azure Active Directory
You can use Okta multi-factor authentication (MFA) to satisfy the Azure AD MFA requirements for your WS-Federation Office 365 app.
Use Okta MFA in the following cases:
- You want Okta to handle the MFA requirements prompted by Azure AD Conditional Access for your Okta-federated domain.
- You want to enroll your end users into Windows Hello for Business so that they can use a single solution for both Okta and Microsoft MFA.
Known issues
Users can enter infinite sign-in loop
End users can enter an infinite sign-in loop when Okta app-level sign-on policy is weaker than the Azure AD policy. This can happen in the following scenarios:
-
App-level sign-on policy doesn't require MFA.
Okta doesn’t prompt the user for MFA when accessing the app. However, Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim. Okta may still prompt for MFA if it’s configured at the org-level, but that MFA claim isn't passed to Azure AD.
-
App-level sign-on policy doesn’t require MFA when the user signs in from an "In Zone" network but requires MFA when the user signs in from a network that is "Not in Zone"
If users are signing in from a network that’s In Zone, they aren't prompted for MFA. But again, Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim.

Temporary support for org-level MFA
You can temporarily use the org-level MFA with the following procedure, if:
- You’re migrating your org from Classic Engine to Identity Engine, and
- The org-level sign-on policy requires MFA.
However, we strongly recommend that you set up an app-level Office 365 sign on policy to enforce MFA to use in this procedure.
Before you begin
-
Configure MFA in Okta: Configure an app sign-on policy for your WS-Federation Office 365 app instance as described in Authentication policies.
-
Configure MFA in Azure AD: Configure MFA in your Azure AD instance as described in the Microsoft documentation.
Start this procedure
You need to change your Office 365 domain federation settings to enable the support for Okta MFA. Choose one of the following procedures depending on whether you’ve manually or automatically federated your domain.
For manually federated domain
Run the updated federation script from under the Setup Instructions:
- From the Okta Admin Console, go to Applications > Applications.
- Open your WS-Federated Office 365 app.
-
Click the Sign On tab > Sign on Methods > WS-Federation> View Setup Instructions.
The How to Configure Office 365 WS-Federation page opens.
- On the page, go to the If your domain is already federated section.
- Copy and run the script from this section in Windows PowerShell.
- For the option, Okta MFA from Azure AD, ensure that Enable for this application is checked and click Save.
- Run the following PowerShell command to ensure that SupportsMfa value is True:
Connect-MsolService
Get-MsolDomainFederationSettings -DomainName <yourDomainName>Example result
CopyActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
DefaultInteractiveAuthenticationMethod :
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri: https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True
For automatically federated domain
In this case, you don't have to configure any settings.
- In the Admin Console, go to .
- Open your WS-Federated Office 365 app.
- Click the Sign On tab > Edit.
- For the option Okta MFA from Azure AD, ensure that Enable for this application is checked and click Save.
- Run the following PowerShell command to ensure that SupportsMfa value is True:
Connect-MsolService
Get-MsolDomainFederationSettings -DomainName <yourDomainName>Example result
CopyActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
DefaultInteractiveAuthenticationMethod :
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True
Disable this feature
To disable the feature, complete the following steps:
- From the Okta Admin Console, go to Applications > Applications.
- Open your WS-Federated Office 365 app.
- Click the Sign On tab > Edit.
- For the option Okta MFA from Azure AD, ensure that Enable for this application is unchecked and click Save.
If you turn off this feature, you must manually set the SupportsMfa setting to false for all domains that were automatically federated in Okta with this feature enabled.
Use this PowerShell cmdlet to turn this feature off:
Set-MsolDomainFederationSettings -DomainName <targetDomainName> -SupportsMfa $falseHow the feature works
Okta MFA satisfies Azure AD MFA requirement
Okta passes an MFA claim as described in the following table.
Okta App-level MFA | Azure AD MFA | What Happens |
---|---|---|
Disabled | Enabled |
End users enter an infinite sign-in loop. To prevent this, you must configure Okta MFA to satisfy the Azure AD MFA requirement. |
Enabled | Enabled | End users complete an MFA prompt in Okta. Okta passes the completed MFA claim to Azure AD. Azure AD accepts the MFA from Okta and doesn’t prompt for a separate MFA. The user is allowed to access Office 365. |
Okta enrolls users in Windows Hello
Prerequisite: The device must be Hybrid Azure AD or Azure AD joined.
If your organization requires Windows Hello for Business, Okta prompts end users who aren’t yet enrolled in Windows Hello to complete a step-up authentication (for example, SMS push). After successful enrollment in Windows Hello, end users can sign on. Okta helps the end users enroll as described in the following table.
Okta App-level MFA | What Happens |
---|---|
Disabled |
End users enter an infinite sign-in loop. To prevent this, you must configure Okta MFA to satisfy the Azure AD MFA requirement. |
Enabled | End users complete a step-up MFA prompt in Okta. Upon successful enrollment in Windows Hello for Business, end users can use Windows Hello for Business as a factor to satisfy Azure AD MFA. |
Related topics
Office 365 sign-on rules options
Windows Hello for Business (Microsoft documentation)