Use Okta MFA for Azure Active Directory

You can use Okta multifactor authentication (MFA) to satisfy the Azure Active Directory (AD) MFA requirements for your WS-Federation Office 365 app. Use Okta MFA in the following cases:

  • You want Okta to handle the MFA requirements prompted by Azure AD Conditional Access for your Okta-federated domain.
  • You want to enroll your users in Windows Hello for Business. This gives users a single solution for both Okta and Microsoft MFA.

Okta Single Sign-On (SSO) supports the WS-Federation wauth parameter, which defines the required authentication level for sign-in attempts. This allows you to avoid enforcing MFA for all users and require extra authentication only when necessary. If there's a wauth request and the user has only enrolled one authenticator, Okta prompts the user to enroll another authenticator.

Temporary support for org-level MFA

You can use org-level MFA temporarily with the following procedure for the following situations:

  • You're migrating your org from Classic Engine to Identity Engine.
  • The global session policy requires MFA.

You must set up an authentication policy for Office 365 to enforce MFA to use in this procedure.

Before you begin

Verify that the following prerequisites have been met before proceeding:

  1. You're using an Identity Engine org.
  2. Your Okta org has an Office 365 app configured. See Microsoft Office 365.
  3. Your Okta org has more than one authenticator configured. See Multifactor authentication.
  4. Users have enrolled in more than one authenticator. See Authenticator enrollment policy.
  5. MFA is configured in your Azure AD instance. See Configure Microsoft Entra multifactor authentication settings.

Start this procedure

Change your Office 365 domain federation settings to enable support for Okta MFA. Complete one of these procedures:

Manually federated domains

  1. In the Admin Console, go to ApplicationsApplications.

  2. Open your WS-Federated Office 365 app.
  3. Click Sign OnSign on MethodsWS-FederationView Setup Instructions. The How to Configure Office 365 WS-Federation page appears.
  4. Go to the If your domain is already federated section.
  5. Run either of the following PowerShell commands, depending on your environment:
    • Manually federated domains: Ensure that the SupportsMfa value is True:
      Connect-MsolService
      Get-MsolDomainFederationSettings -DomainName <yourDomainName>
    • Manually federated domains (Microsoft Graph Module): Ensure that the FederatedIdpMfaBehavior value is enforceMfaByFederatedIdp:
      Connect-MgGraph -Scopes Directory.AccessAsUser.All
      Get-MgDomainFederationConfiguration -DomainId <yourDomainName> | Select -Property FederatedIdpMfaBehavior
  6. For the Okta MFA from Azure AD option, select Enable for this application.
  7. Click Save.

Example result: MSOnline

Copy 
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True

Example result: Microsoft Graph

Copy 
ActiveSignInUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : https://issueruri
SignOutUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
FederatedIdpMfaBehavior: acceptIfMfaDoneByFederatedIdp

Automatically federated domains

  1. In the Admin Console, go to ApplicationsApplications.
  2. Open your WS-Federated Office 365 app.
  3. Click Sign OnEdit.
  4. For the Okta MFA from Azure AD option, select Enable for this application.
  5. Click Save.

Example result: MSOnline

Copy 
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True

Example result: Microsoft Graph

Copy 
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
SignOutUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
FederatedIdpMfaBehavior: acceptIfMfaDoneByFederatedIdp

Disable this feature

  1. In the Admin Console, go to ApplicationsApplications.

  2. Open your WS-Federated Office 365 app.
  3. Click Sign OnEdit.
  4. For the Okta MFA from Azure AD option, clear the Enable for this application option.
  5. Click Save.
  6. Run either of the following PowerShell commands, depending on your environment:
    • Disable Okta MFA for Azure AD (MSOnline): Ensure that the SupportsMfa setting is false for all domains that were automatically federated in Okta with this feature enabled:

      Set-MsolDomainFederationSettings -DomainName <targetDomainName> -SupportsMfa $false

    • Disable Okta MFA for Azure AD (Microsoft Graph): Ensure that the FederatedIdpMfaBehavior setting is enforceMfaByFederatedIdp for all domains that were automatically federated in Okta with this feature enabled:

      Update-MgDomainFederationConfiguration -DomainId <DomainName> -InternalDomainFederationId (Get-MgDomainFederationConfiguration -DomainId <DomainName> | Select -Property Id).id -FederatedIdpMfaBehavior enforceMfaByFederatedIdp

Related topics

Office 365 sign-on rules options

Plan a Windows Hello for Business deployment (Microsoft documentation)