With a Microsoft Office 365 domain federated, a subset of Users, after authenticating with Okta, might fall into a loop that will eventually land the User on the Microsoft account page with the following message:
We couldn't sign you in. Please try again.
NOTE: This article does not relate to the infinite sign-in loop between Microsoft Office 365 and Okta. This article refers to a behavior where we see a loop on the Office 365 side after successful Okta authentication. When reviewing the Okta System Logs in this scenario, Admins will not observe events that represent a loop between Office 365 and Okta. Admins will observe a singular successful login attempt.*
Okta Support recommends capturing a SAML Trace (How to Troubleshoot with SAML Tracer). In reading the logs, Admins will see a successful 200 POST, followed by multiple calls to https://account.activedirectory.windowsazure.com/passwordreset/register.aspx?client-request-id=fbnwrh08whvwuf-0wffhw0&sspr=1
- Microsoft Office 365 (M365 / O365)
- Loop after Okta Authentication
- Self Service Password Reset (SSPR)
This is due to Self-Service Password Reset (SSPR) being enabled/enforced on the Microsoft Entra ID/Azure Active Directory side. To be more precise, it is due to the number of days before users are asked to reconfirm their authentication information being set to a value other than zero.
- Access the Admin Console for Entra ID / Azure AD.
- In the Search Bar, search for Password Reset.
- Once on the Password Reset page, navigate to Manage > Registration.
- In the field labeled Number of days before users are asked to re-confirm their authentication information set the value to zero.
- Wait for the changes to propagate on the Azure side, and then have the End Users attempt to access an Office 365 application once more.
