Okta Error Unable to Meet Authentication Requirements Imposed by acr_values Parameter Occurs When Signing In to Office 365
Last Updated:
Overview
An error occurs when a user attempts to sign in to Office 365 because a Microsoft Entra ID conditional access policy requires Multi-Factor Authentication (MFA) and the user cannot satisfy or enroll in the required additional authenticators due to constraints within Okta policies. Resolve this issue by updating the Okta Authenticator Enrollment Policies to permit the enrollment of secure secondary factors and ensuring Step-up Authentication for Office 365 is active. The following error message appears:
Unable to meet the authentication requirements imposed by 'acr_values' parameter.
Applies To
- Okta Identity Engine (OIE)
- Office 365 (O365) / Microsoft Entra ID
- Azure Conditional Access Policy
- Step-up Authentication for Office 365
- Multi-Factor Authentication (MFA)
Cause
This behavior occurs when a Microsoft Entra ID conditional access policy requires MFA and the user cannot satisfy or enroll in the required additional authenticators due to constraints within Okta policies.
NOTE: Admin accounts in O365 require MFA when connecting to O365 admin resources, irrespective of the conditional access policy configurations. For more information on this change, review Microsoft documentation: Planning for mandatory multifactor authentication for Azure and other admin portals.
NOTE: In OIE, the Step-up Authentication for Office 365 feature allows Okta to dynamically respond to incoming acr_values passed by Microsoft. This prompts the user for MFA dynamically, even if the Okta application authentication policy requires only a password.
NOTE: If the Okta Authenticator Enrollment Policy restricts the user from registering or using the necessary secondary factors, Okta cannot fulfill the step-up authentication request. This results in a failure to pass the authentication context back to Microsoft, triggering the error.
Solution
How is the authentication requirements error resolved?
Update the Okta Authenticator Enrollment Policies to allow enrollment of secure secondary factors, and activate Step-up Authentication for Office 365 in the application configuration settings.
- Navigate to Security and select Authenticators.
- Choose the Enrollment tab.
- Review the Okta Authenticator Enrollment Policies to ensure the affected user or administrator has an assigned policy that permits enrollment of secure secondary factors (such as Okta Verify or FIDO2/WebAuthn) beyond a password alone.
- Navigate to the Office 365 application configuration settings.
- Ensure that Step-up Authentication for Office 365 is enabled so that Okta can seamlessly intercept and fulfill dynamic MFA requests issued by Microsoft Conditional Access policies.
