The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. This article addresses an upgrade blocker related to the OFFICE365_PASS_CLAIM_FOR_MFA feature when migrating to OIE. This feature sends an assertion to Microsoft Azure Active Directory (AD) indicating that Multi-Factor Authentication (MFA) was performed at the Identity Provider (IdP), allowing Okta to serve as the MFA source for Azure AD MFA policies.
- Microsoft Office 365
- OFFICE365_PASS_CLAIM_FOR_MFA
The upgrade blocker occurs due to a functional change between the Okta Classic Engine and OIE. In the Classic Engine, an MFA prompt from the Okta Sign On Policy satisfies the requirement to send the MFA claim to Microsoft. In OIE, this is no longer sufficient. All Authentication Policy rules that grant access must explicitly require MFA for the claim to be sent.
To resolve the upgrade blocker, an administrator must reconfigure Authentication Policies after the upgrade to OIE is complete.
-
Configure Authentication Policy rules to require Multi-Factor Authentication (MFA). All rules that allow access must require MFA for the claim to be sent in the assertion.
-
Ensure the rules are configured to require factors such as Password + Another Factor or Any Two Factor Types. An organization-level MFA requirement can satisfy this condition, but the specific Authentication Policy that grants access must have an MFA method selected.
NOTE: Setting up these Authentication Policy rules is not required if MFA on the Azure Active Directory (AD) side is not enabled.
-
For guidance on configuring MFA in Azure AD, refer to the Microsoft documentation.
-
For additional information on this integration, see Use Okta MFA for Microsoft Entra ID (formerly Azure Active Directory)
-
A detailed walkthrough is available in this Webinar on YouTube.
