Users fail to authenticate to Microsoft 365 native applications, such as Outlook, OneDrive, or Teams, on Windows devices using Okta FastPass when the sign-on policy enforces phishing-resistant authentication. This occurs because Universal Windows Platform (UWP) and Microsoft 365 native applications run in network-isolated sandboxes that interfere with device-bound authentication signals. Executing a specific PowerShell script resolves the issue by modifying key settings required for proper device signal integration. When launching native Microsoft 365 applications, users encounter errors, get stuck in a loop, or fail to complete authentication. Removing the phishing-resistant condition allows native application authentication to succeed.

• Okta Identity Engine (OIE)
• Microsoft 365
• Okta FastPass
• Windows

Universal Windows Platform (UWP) and Microsoft 365 native applications experience a known limitation when used with Okta FastPass phishing-resistant authentication. Native Microsoft 365 applications on Windows run in network-isolated sandboxes that interfere with the device-bound authentication signals required for phishing-resistant authentication. Consequently, these applications fail to complete the required device context validation, which causes authentication failures when Okta enforces a phishing-resistant constraint.

How is the authentication failure resolved?

Okta provides a PowerShell script that modifies key settings required for proper device signal integration to support phishing-resistant Okta FastPass authentication with Microsoft 365 native and UWP applications on Windows. Locate the documentation, download the script, execute it on the affected Windows devices, and reboot the machine to establish compatibility.

1. Refer to the Okta documentation titled Enable phishing-resistant authentication for Universal Windows Platform apps.
2. Download and execute the provided PowerShell script on the affected Windows devices. The script sets the required registry keys for Microsoft Account (MSA) login behavior, ensures proper token binding and network isolation settings for UWP applications, and establishes compatibility between Windows-native application sessions and Okta FastPass phishing-resistant signals.
3. Reboot the device if prompted.
4. Reattempt authentication to the native Microsoft 365 application using Okta FastPass.

NOTE: Administrators can safely deploy the script through device management tools. This solution is Windows-specific, as macOS native application behavior differs. Test the script in a controlled environment before large-scale deployment.