This article explains why Okta admins who are configuring Microsoft O365 Application Sign-On Policy/Rules are not able to see Multi-Factor Authentication (MFA) options; only the password is enabled for authentication, and grayed out without being able to select other authenticator options.

• Microsoft Office 365
• Application Sign-On Policy
• Application Sign-On Rule
• Okta Identity Engine (OIE)

This is caused by the Any client selection in the "AND Client is" portion of the Microsoft Office 365 rule.

To enable MFA options in Microsoft Office 365:

1. Navigate to AND Client is.
2. Select Any client and change to One of the following clients:.
3. Add Modern Authentication and Web browser.

Once this is done, interact with the password selection box located in the AND User must authenticate with section.

The dropdown will now allow admins to select 2 Factor types (MFA), which will then allow admins to configure AND Possession factor constraints are as well as AND Authentication methods for users.