This article explains a potential reason a user may not receive a Multi-factor Authentication (MFA) prompt for a Microsoft 365 thick client application.

• Within Okta, a valid app sign-on policy for 365 exists, and users are prompted for MFA when logging in via the web.

• Microsoft Office 365 (O365)
• App sign-on policies
• Any OS or browser

For thick clients supporting MFA, the individual app or service determines how frequently they are directed back to Okta for authentication. The 'JSON refresh token period' for the Desktop/Thick clients defaults to 14-90 days.

Note: The JSON token authenticates the user each time, and NOT a new authentication call to Okta.

For Microsoft Office apps refresh intervals, see Session timeouts for Office 365.

1. Revoke the session manually
   • Access Microsoft 365 admin center > Azure > users > select the user > press Revoke Sessions under that user's profile. Press the desktop application. Now, a prompt for Okta MFA should be seen.

2. Update the session token
   • Details can be found at Configurable token lifetime properties.

Related References

• Best security practices for Office 365 sign-on policies
• Configurable token lifetimes in the Microsoft identity platform (preview)
• Office 365 sign-on rules options