The Step-up authentication for Office 365 feature enables customers to dynamically prompt for Okta Multi-factor Authentication (MFA) when needed, without having "2 factor types" configured in the Office 365 Authentication Policy.

• Okta Identity Engine (OIE)
• Microsoft 365 (O365 / M365)
• Azure Active Directory (AD)
• Single Sign-On (SSO)
• Multi-factor Authentication (MFA)
• Okta MFA from Azure AD

When the Okta MFA from Azure AD setting is enabled, a trust relationship is created where Microsoft will no longer ask users to enroll and use the Microsoft Authenticator app. In exchange, Okta needs to provide the required MFA token, which is only accessible once the user has completed a second factor prompt.  

Users might experience looping issues because a "1-factor type" Office 365 Authentication rule was triggered in Okta when authenticating, whilst there is a second MFA requirement or Conditional Access Policy in Microsoft for authentication, forcing Okta to provide two MFA tokens to allow the user into the Office 365 product.

For more information, please check the Office 365 SSO User Loop During Authentication documentation.

Step-up authentication for Office 365 is a new GA feature available in all tenants, which means the Office 365 authentication rule will no longer require a two-factor authentication (2FA) setup, which could affect users or flows that do not require MFA on the Microsoft side.

This setting will allow Okta to read the assertion and dynamically prompt users for the necessary second factor if they access an Office 365 product protected by MFA requirements, even if a 1-factor rule is triggered in Okta. 

Related References

• Frequently Asked Questions about Mandatory MFA Requirements for Microsoft Applications
• Office 365 SSO User Loop During Authentication
• "Unable to meet the authentication requirements imposed by 'acr_values' parameter" Error when a User Attempts to Sign in to Office 365