For the Microsoft Office 365 App, the Sign On policies have been configured to block Legacy/Basic authentication, and some users are unable to successfully log in via Skype using Polycom VVX desk phones with the "User Credentials" option on the device.  

Polycom considers these Skype phones "Modern Auth" clients. However, Okta detects these authentications as Basic Auth since it is hitting the active endpoint (/app/office365/{key}/sso/wsfed/active). Therefore, Okta blocks the login request, resulting in a login failure on the device.

• Microsoft Office 365 (O365)
• Application Sign On Policies

During authentication with the Polycom device using the "User Credentials" option, this uses the resource owner password credentials authorization flow. In turn, this results in a call made for legacy authentication to the Identity Provider (IdP), Okta, in this case.  Since there is an application sign-on policy configured in Okta that blocks legacy authentication (anything hitting the /app/office365/{key}/sso/wsfed/active endpoint), these users are denied access and unable to authenticate successfully.

Microsoft enforces Basic Authentication when using the "User Credentials" login option on the Polycom VVX device. Microsoft's Documentation on Authentication states, "If using a third-party authentication provider that is supported by Azure AD, it must support an active authentication flow through WS-Trust." 
 

For Poly phones deployed in environments where third-party IdPs are configured, Poly only supports the Passive authentication flow (Modern Authentication) using the "Web Sign In" option - this option also supports MFA.
 

To continue blocking Basic Auth traffic using Okta's App Sign on Policies, but allow Skype access via Polycom devices, users will need to sign in using the "Web Sign In" option on the device.