Mac Users 2FA on Office 365 local applications - 401 - Unauthorized: Access is denied due to invalid credentials (unless O365/OKTA admins)
Mac Users adding a new Office 365 account on a freshly installed Macbook (so not a keychain issue), or Mac users with an existing account on Office 365 who are changing their password receive the error: 401 - Unauthorized: Access is denied due to invalid credentials (unless they are O365/OKTA admins). This only happens when on our internal network, authenticating with internal server.
On an external wifi network this error does not occur and they can progress to the 2 factor authentication screen.
If I use the Google DNS on our internal network when trying to add a new account, it just returns to the Add account screen for standard users. When changing a password with Google DNS entered, it returns to the 401 error screen.
My Office 365/OKTA admin account allows me through to the 2 factor authentication screen on all 3 scenarios (internal IP, internal IP with Google DNS, external IP)
Firstly I have to say it depends on different situations you might place yourself in. There might be a range of factors in discussion here. To begin with, I wonder if those users type in their credentials or if you have an IWA infrastructure set on the internal server (Desktop SSO). It might be a problem caused by this.
Also, it depends whether they are using thick clients or not. ADAL or 'modern authentication' might play a role there where IPs from Microsoft come in scene. Even in SAML configurations admin credentials interfere differently with the configuration, so it might be related to this as well.
Of course, a lot of error happen because of the steps missed in the process of federating O365 where I can even link some pieces of information for you. For situations like this we created the step by step guide for federating O365, please verify if steps were skipped: https://support.okta.com/help/articles/Knowledge_Article/38682106-Microsoft-Office-365-Integration-Guide
Let me also include here a list of cmdlets to help you out: https://docs.microsoft.com/en-us/powershell/module/MSOnline/?view=azureadps-1.0
The suggestion I have for you, in case none of the above help you out, is to open a case with us. On the community page we cannot help you at the full extent of our posibilities.