<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Known Issues When Using "Use Okta MFA for Azure AD" Feature in Okta Classic Engine
Mar 16, 2026
Single Sign-On
Okta Classic Engine
Overview

Known issues may arise when using the Use Okta MFA for Azure AD feature with Okta Classic Engine, which enables Okta Multi-Factor Authentication (MFA) to satisfy Azure Active Directory (AD) MFA requirements for Web Services Federation (WS-FED) 365 applications.

Azure Active Directory (AD) MFA  

  • Users can enter an infinite sign-in loop in the following scenarios:
    • The Okta sign-on policy is weaker than the Azure AD policy.
    • The user does not immediately access Office 365 after authenticating.
  • Okta incorrectly sends a successful MFA claim.
Applies To
  • Okta Classic Engine
  • Azure Active Directory (AD)
  • Single Sign-On (SSO)
  • Microsoft Office 365
  • Multi-Factor Authentication (MFA)
  • Web Services Federation (WS-FED)
Solution

The following issues apply only to Use Okta MFA for Azure AD with Okta Classic Engine and are fixed in the Okta Identity Engine (OIE) by the Step-up Authentication for Office 365 feature.

 

Users may enter an infinite sign-in loop in the following scenarios:

  • The Okta sign-on policy is weaker than the Azure AD policy:
    • Neither the Okta nor the app sign-on policies require MFA. Okta does not prompt the user for MFA. Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim.
    • Sign-on policies do not require MFA when users sign in from within a network zone, but do require it when users sign in from outside the zone. Okta does not prompt the user for MFA. Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim.
    • On the Azure AD side, the Sign-in frequency option is enabled with Periodic reauthentication. If in the Okta App Sign On Rule, the Prompt for re-authentication option is not set to the same value as the Periodic reauthentication in Azure AD, a loop will occur.
  • The user does not immediately access Office 365 after authenticating:
    • If the user completes MFA in Okta but does not immediately access the Office 365 app, Okta does not pass the MFA claim. To avoid an infinite loop, the user must reopen the web browser and reauthenticate.
  • Okta incorrectly sends a successful MFA claim:
    • This happens when the Office 365 app sign-on policy excludes certain users (individuals or groups) from the MFA requirement. Even though the user is not prompted for MFA, Okta sends a successful MFA claim to Azure AD Conditional Access. Azure AD Conditional Access accepts the Okta MFA claim and allows the user to sign in without requiring them to complete the Azure AD MFA.

 

If upgrading the tenant to Okta Identity Engine (OIE) is not an option, to avoid the issues described above when end-users are accessing the Microsoft Office 365 application, make sure that the affected users are enrolled in multifactor and that they are hitting an App Sign On Rule set to prompt them for MFA at Every sign on, as in the example below. If the Sign-in frequency option is enabled with Periodic reauthentication on the Azure AD side, enable the Prompt for re-authentication option on Okta and set the same value.

 

App Sign On RuleApp Sign On Rule

 

Related References

Recommended content

Still looking for help?
Loading
Known Issues When Using "Use Okta MFA for Azure AD" Feature in Okta Classic Engine