Microsoft Office 365: User is Stuck in a Login Loop after Resetting Okta Password
Last Updated:
Overview
Users may experience a persistent login loop when attempting to access the Microsoft Office 365 tenant after performing a password reset via Okta. Despite the user's efforts to mitigate the issue, such as clearing browser session cookies and switching devices, the loop continues to persist.
Applies To
- Microsoft Office 365 (O365)
- Universal Directory
- Federation
Cause
This issue usually occurs when passing the LastPasswordChangeTimestamp to Entra ID (Formerly Azure AD) from Okta. It is due to the processing of certain dates by Microsoft Office 365, resulting in a date set in the future, which is propagated to the "Sign in sessions valid from date ..." attribute as well.
When a user who has the issue in Entra ID tries to log in, the assertion sent to Entra ID will be denied based on the timestamp and validity of the assertion, which is only valid for 10 minutes from the time of creation. The valid from attribute is set in the future, ergo invalid.
Solution
Run in PowerShell:
Revoke-MgUserSignInSession -UserId <String>- As per the Revoke-MgUserSignInSession article, this will refresh the
signInSessionsValidFromDateTimeattribute to the current date and allow the user to log in.
