<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
On Windows Devices Users Are Unable to Access Microsoft 365 Native Applications via Okta FastPass when Phishing Resistance is Enforced
May 15, 2025
Okta Identity Engine
Multi-Factor Authentication
Overview

This article addresses the situation in which users may be unable to authenticate to Microsoft 365 native applications (such as Outlook, OneDrive, or Teams) on Windows devices using Okta FastPass when Phishing-Resistant authentication is enforced in the application’s sign-on policy.

 

Observed Behavior:

  • When launching native Microsoft 365 apps, users may receive an error, get stuck in a loop, or fail to complete authentication.
  • Removing the phishing-resistant condition allows native app authentication to succeed.
Applies To
  • Okta Identity Engine (OIE)
  • Office365
  • FastPass
Cause

This issue is due to a known limitation in how Universal Windows Platform (UWP) and Microsoft 365 native applications operate in conjunction with Okta’s phishing-resistant FastPass authentication. Specifically, native Microsoft 365 apps on Windows run in network-isolated sandboxes, which interfere with the device-bound authentication signals required for phishing-resistant authentication. As a result, these applications fail to complete the required device context validation, leading to authentication failures when a phishing-resistant constraint is enforced.

 

Solution

To support phishing-resistant FastPass authentication with Microsoft 365 native and UWP applications on Windows, Okta provides a PowerShell script that modifies key settings required for proper device signal integration.

  1. Refer to this Okta documentation: Enable phishing-resistant authentication for Universal Windows Platform apps.
  2. Download and execute the provided PowerShell script on affected Windows devices.
    • The script performs the following:
      • Sets required registry keys for Microsoft Account (MSA) login behavior.
      • Ensures proper token binding and network isolation settings for UWP apps.
      • Establishes compatibility between Windows-native app sessions and Okta’s FastPass phishing-resistant signals.
  1. After executing the script, reboot the device (if prompted). Reattempt authentication to the native Microsoft 365 application using Okta FastPass.

 

After applying the script, users can successfully authenticate to Microsoft 365 native applications using FastPass under policies requiring phishing-resistant authentication.

 

NOTE:

  • The script is safe to deploy through device management tools (like Intune or Jamf, for example).
  • This solution is Windows-specific; macOS native app behavior differs.
  • Testing in a controlled environment before large-scale deployment is highly recommended.

Recommended content

Still looking for help?
Loading
On Windows Devices Users Are Unable to Access Microsoft 365 Native Applications via Okta FastPass when Phishing Resistance is Enforced