Authentications are Blocked when Integrating Office 365 with Okta and Microsoft Intune
Apr 16, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview
When integrating Office 365 with Okta and Microsoft Intune, authentication attempts are blocked. One or both of the following events may appear in the system log:
DisplayMessage - Deny user access due to app sign on policy
EventType - application.policy.sign_on.deny_access
Applies To
- Application Sign-On Policy
- Microsoft Intune
- Okta Classic Engine
Cause
Solution
The default Okta Application Sign On Policy blocks Legacy Authentication. Configure a Sign On Policy to allow Legacy Authentication using the procedure detailed in About app sign-on policies.
- Navigate to the Office 365 application within the Okta Admin Console.
- Select Sign-on.
- Scroll to Application Sign-On policies.
- To modify an existing rule click Edit(Pencil Icon), or to add a new Rule by clicking on Add Rule.
- Enable Exchange ActiveSync/Legacy Auth.
- In the Access section, ensure When all the conditions above are met, sign on to this application is option is set to Allowed.
- Click Save.
