Users may experience a persistent login loop when attempting to access the Microsoft Office 365 tenant after performing a password reset via Okta. Despite the user's efforts to mitigate the issue, such as clearing browser session cookies and switching devices, the loop continues to persist.
- Microsoft Office 365 (O365)
- Universal Directory
- Federation
This issue usually occurs when passing the LastPasswordChangeTimestamp to Entra ID (Formerly Azure AD) from Okta. It is due to the processing of certain dates by Microsoft Office 365, resulting in a date set in the future, which is propagated to the "Sign in sessions valid from date ..." attribute as well.
When a user who has the issue in Entra ID tries to log in, the assertion sent to Entra ID will be denied based on the timestamp and validity of the assertion, which is only valid for 10 minutes from the time of creation. The valid from attribute is set in the future, ergo invalid.
Run in PowerShell:
Revoke-MgUserSignInSession -UserId <String>- As per the Revoke-MgUserSignInSession article, this will refresh the
signInSessionsValidFromDateTimeattribute to the current date and allow the user to log in.
