When attempting to perform an MS Office 365 Push Group provisioning job, an error may be seen:

Unable to update Group Push mapping target App group {group name}: Could not validate your Office 365 credentials, received error: 400 AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '{resource number}'

• Microsoft Office 365
• Okta Integration Network
• MS Office 365 push group provisioning error

The cause of this issue is that the Okta Sync service account used for provisioning has not been exempted from Multi-Factor Authentication (MFA) requirements in Microsoft Entra ID's conditional access policies. This requirement is described in Provision users to Office 365.

1. Have the Microsoft Admin user log into the Microsoft Entra ID management portal and follow the solution instructions described in: 
   • How to check for MFA Enforcement in Microsoft Entra and/or
   • Use access reviews to manage users excluded from Conditional Access policies
2. Have the Okta Admin user navigate to Okta Admin Console > Applications > Applications > Microsoft Office 365 app > Provisioning > Integration, and follow the solution instructions in Update Office 365 Applications with Provisioning to Support Microsoft Graph.
3. Retry the failed MS Office 365 push group task(s) from Okta. It should complete successfully without the previous Microsoft error. 

Related References

• Provision users to Office 365
• Update Office 365 Applications with Provisioning to Support Microsoft Graph
• How to check for MFA Enforcement in Microsoft Entra
• Use access reviews to manage users excluded from Conditional Access policies