Use Okta MFA for Azure Active Directory
You can use Okta multifactor authentication (MFA) to satisfy the Azure Active Directory (AD) MFA requirements for your WS-Federation Office 365 app. Use Okta MFA in the following cases:
- You want Okta to handle the MFA requirements prompted by Azure AD Conditional Access for your Okta-federated domain.
- You want to enroll your users in Windows Hello for Business. This gives users a single solution for both Okta and Microsoft MFA.
Okta Single Sign-On (SSO) supports the WS-Federation wauth parameter, which defines the required authentication level for sign-in attempts. This allows you to avoid enforcing MFA for all users and require extra authentication only when necessary.
Temporary support for org-level MFA
You can use org-level MFA temporarily with the following procedure for the following situations:
- You're migrating your org from Classic Engine to Identity Engine.
- The global session policy requires MFA.
You must set up an authentication policy for Office 365 to enforce MFA to use in this procedure.
Before you begin
Verify that the following prerequisites have been met before proceeding:
- You're using an Identity Engine org.
- Your Okta org has an Office 365 app configured. See Microsoft Office 365.
- Your Okta org has more than one authenticator configured. See Multifactor authentication.
- Users have enrolled in more than one authenticator. See Authenticator enrollment policy.
- MFA is configured in your Azure AD instance. See Configure Microsoft Entra multifactor authentication settings.
Start this procedure
Change your Office 365 domain federation settings to enable support for Okta MFA. Complete one of these procedures:
Manually federated domains
-
In the Admin Console, go to .
- Open your WS-Federated Office 365 app.
- Click How to Configure Office 365 WS-Federation page appears. . The
- Go to the If your domain is already federated section.
- Run either of the following PowerShell commands, depending on your environment:
- Manually federated domains: Ensure that the SupportsMfa value is True:
Connect-MsolService
Get-MsolDomainFederationSettings -DomainName <yourDomainName> - Manually federated domains (Microsoft Graph Module): Ensure that the FederatedIdpMfaBehavior value is enforceMfaByFederatedIdp:
Connect-MgGraph -Scopes Directory.AccessAsUser.All
Get-MgDomainFederationConfiguration -DomainId <yourDomainName> | Select -Property FederatedIdpMfaBehavior
- Manually federated domains: Ensure that the SupportsMfa value is True:
- For the Okta MFA from Azure AD option, select Enable for this application.
- Click Save.
Example result: MSOnline
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True
Example result: Microsoft Graph
ActiveSignInUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : https://issueruri
SignOutUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
FederatedIdpMfaBehavior: acceptIfMfaDoneByFederatedIdp
Automatically federated domains
- In the Admin Console, go to .
- Open your WS-Federated Office 365 app.
- Click .
- For the Okta MFA from Azure AD option, select Enable for this application.
- Click Save.
Example result: MSOnline
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
LogOffUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
SupportsMfa : True
Example result: Microsoft Graph
ActiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/active
FederationBrandName : Okta
IssuerUri : issueruri
SignOutUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/signout
MetadataExchangeUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/mex
PassiveLogOnUri : https://example.okta.com/app/office365/issueruri/sso/wsfed/passive
SigningCertificate : <SigningCertificate>
FederatedIdpMfaBehavior: acceptIfMfaDoneByFederatedIdp
Disable this feature
-
In the Admin Console, go to .
- Open your WS-Federated Office 365 app.
- Click .
- For the Okta MFA from Azure AD option, clear the Enable for this application option.
- Click Save.
- Run either of the following PowerShell commands, depending on your environment:
- Disable Okta MFA for Azure AD (MSOnline): Ensure that the SupportsMfa setting is false for all domains that were automatically federated in Okta with this feature enabled:
Set-MsolDomainFederationSettings -DomainName <targetDomainName> -SupportsMfa $false
- Disable Okta MFA for Azure AD (Microsoft Graph): Ensure that the FederatedIdpMfaBehavior setting is enforceMfaByFederatedIdp for all domains that were automatically federated in Okta with this feature enabled:
Update-MgDomainFederationConfiguration -DomainId <DomainName> -InternalDomainFederationId (Get-MgDomainFederationConfiguration -DomainId <DomainName> | Select -Property Id).id -FederatedIdpMfaBehavior enforceMfaByFederatedIdp
- Disable Okta MFA for Azure AD (MSOnline): Ensure that the SupportsMfa setting is false for all domains that were automatically federated in Okta with this feature enabled:
Related topics
Office 365 sign-on rules options
Plan a Windows Hello for Business deployment (Microsoft documentation)