<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How Does Okta Handle the "wfresh" Parameter from Microsoft 365 Authentication Requests
May 30, 2025
Single Sign-On
Okta Identity Engine
Overview

When using Okta Multi-Factor Authentication (MFA) to satisfy Microsoft Entra ID's MFA requirements, there are times when reauthentication may be necessary due to Conditional Access policies or if a user is accessing sensitive information in the Microsoft tenant.

Previously, this could have ended up in an endless authentication loop because Okta's authentication policies might not have required that a user be prompted for MFA at that time. Okta has released a feature that can handle contextual parameters from Microsoft, which can override the defined authentication policy and immediately force reauthentication when necessary.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Integration Network (OIN) catalog
  • Multi-Factor Authentication (MFA)
  • Microsoft Office 365 (M365 / O365)
  • Okta and Office integrated with WS-Federation
  • "Okta MFA from Azure AD" support has been enabled in the integration
Cause

When performing a Service Provider-initiated Single Sign-On (SSO) from a federated domain in Microsoft Office 365, the following parameters may be sent to Okta:

  • wfresh - specifies the maximum age for an acceptable authentication response in minutes
    • When this value is sent as wfresh=0, Microsoft indicates that a Conditional Access policy requires Okta to request an entirely new authentication.
  • wauth - specifies the authentication method required to fulfill the claim in the authentication response
    • When sent as wauth=http://schemas.microsoft.com/claims/multipleauthn, Microsoft indicates that a Conditional Access policy requires MFA.

When both parameters are present, Okta can determine that a user must provide a new MFA claim to Microsoft and prevent the user from getting stuck in a loop.

Solution

For this feature to be utilized, ensure that the integration is already configured according to this documentation: Use Okta MFA for Azure Active Directory.


Use Okta MFA for Azure Active Directory

Next, ensure the Microsoft Office 365 authentication policy is configured in Okta with appropriate rules, which have conditions that will match the users who will be utilizing MFA:

 

Office 365 sign-on rules options

The following conditions within those rules are particularly noteworthy:

  • Client is should be set to "One of the following clients" with the following selected: Web browser, Modern Authentication, and optionally Windows AutoPilot.
  • User must authenticate with should be set to either: Any 2 factor types or Password / IdP + Another factor.
  • Prompt for authentication or Prompt for all other factors of authentication (depending on selection from the previous bulleted item above) can be adjusted to the organization's standard requirements, as this selection will be overridden by the feature when necessary to satisfy the claim for Microsoft.

For example, even if the Prompt for authentication option is set to use Time since last sign in and scoped for 30 days, the feature will override this setting and immediately prompt for MFA when necessary, even if it has been less than 30 days since the last MFA prompt.

 

Related References 

Recommended content

Still looking for help?
Loading
How Does Okta Handle the "wfresh" Parameter from Microsoft 365 Authentication Requests