I'm currently testing out MFA. We have Office 365 federated with Okta. I can set up an off-network policy for logging into Okta with Okta Verify. It works well and I get prompted as expected. My question is how does this work with rich clients such as Outlook? I can use an off-network laptop to set up a new mail profile for Outlook. Everything goes fine and I log in to the account and start downloading emails. However, I'm not prompted for a second factor of authentication at any point. Shouldn't the MFA policy kick in during, at least, first log in?
I've treid an Okta wide MFA policy and an application specific MFA policy. Neither seem to prompt when not using a browser.