The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. The OFFICE365_PASS_CLAIM_FOR_MFA feature blocks an upgrade to Okta Identity Engine (OIE) because Okta requires explicit Multi-Factor Authentication (MFA) rules in OIE Authentication Policies to send an MFA claim to Microsoft Azure Active Directory (AD). Resolving this blocker requires reconfiguring the Authentication Policies to explicitly require MFA for all rules that grant access. The OFFICE365_PASS_CLAIM_FOR_MFA feature sends an assertion to Microsoft Azure AD indicating that the Identity Provider (IdP) processed MFA, allowing Okta to serve as the MFA source for Azure AD MFA policies.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Microsoft Office 365
- OFFICE365_PASS_CLAIM_FOR_MFA
The upgrade blocker occurs due to a functional change between Okta Classic Engine and OIE. In Okta Classic Engine, an MFA prompt from the Okta Sign On Policy satisfies the requirement to send the MFA claim to Microsoft. In OIE, this configuration is insufficient. All Authentication Policy rules that grant access must explicitly require MFA for Okta to send the claim.
How should administrators reconfigure the Authentication Policies to resolve the upgrade blocker?
Reconfigure the Authentication Policies after completing the upgrade to OIE by setting the rules to explicitly require MFA.
- Configure Authentication Policy rules to require MFA. All rules that allow access must require MFA for Okta to send the claim in the assertion.
- Ensure the rules require factors such as Password + Another Factor or Any Two Factor Types. An organization-level MFA requirement satisfies this condition, but the specific Authentication Policy that grants access must have an MFA method selected.
NOTE: These Authentication Policy rules are unnecessary if Azure AD lacks an active MFA configuration.
