Office 365 sign-on rules options

This topic explains conditions and actions available for Office 365 app sign-on rules.

To create sign-on rules for an Office 365 app instance, follow the steps explained in Add an authentication policy rule. In addition to the conditions explained in the topic, you can add the following client-specific conditions to your Office 365 app sign-on policy. These conditions allow you to apply sign-on rules based on whether the user is using a web browser, legacy authentication, or modern authentication.

You can add maximum 100 rules to Office 365 sign on policy, including the Catch-All rule.

If conditions

Client is

Option What it does
Any client

Default option. Applies the rule irrespective of the user's client.

This option does not support multifactor authentication. Only single-factor password-based authentication will be used to authenticate users.

One of the following clients

Applies the rule to specific clients. See the table below for options.

Client options

Option What it does
Web browser Applies the rule to web browsers such as Chrome, Safari, or Internet Explorer.
Modern Authentication

Applies the rule to thick client applications configured to leverage Modern Authentication. This includes Office 2013 and 2016 clients with required patches or configuration updates, as detailed in this Microsoft Support documentation: Updated Office 365 modern authentication.

Modern Authentication is a configurable setting on an Office 365 tenant for Exchange Online. See Microsoft documentation: Enable or disable modern authentication in Exchange Online and Office 365: Enable Modern Authentication.

Exchange ActiveSync/ Legacy Authentication

Applies the rule to native mail clients on iOS or Android devices, as well as older desktop clients on macOS and MS Windows that don't support Modern Authentication.

  • Exchange ActiveSync or Legacy Auth clients doesn't support multifactor authentication. Only single-factor password-based authentication will be used to authenticate users.

  • Okta doesn't support Just-In-Time provisioning for Exchange ActiveSync or legacy authentication. Any Staged users or users who have not yet been imported must first sign into Okta to activate their Okta account before they can successfully authenticate into Office 365 apps through Exchange ActiveSync or legacy authentication.

  • Deactivated users whose accounts have been reactivated in AD or LDAP won't be automatically reactivated during legacy authentication. These users must first sign into Okta to reactivate their account before using legacy authentication.

  • Any updates to the user's profile attributes in AD or LDAP won't be automatically pulled into Okta during legacy authentication.

Custom

Specify a client to allow or deny it access to Office 365. This filter can be used to deny access to untrusted clients or to only allow trusted clients. See Allow or deny custom clients in Office 365 sign-on policy.