Users in blocked countries can still access Office 365 applications through Okta. The issue is isolated to Office 365 SP-initiated flow when using legacy endpoints Username13.
For example, for endpoint : app/office365/exkh2h9a8zSrnu8Io697/sso/wsfed/username13.
Users without a global session trying to access the Okta will be denied by the dynamic network zone.
- Office 365
- Legacy endpoint
- Network zone
Users authenticating to O365 on specific endpoints are ignoring the global session policy.
The direct authentication endpoint does not create Okta sessions, so those policies are not enforced. Global Session Policies are not evaluated for the username13 endpoint. Only the Application Authentication Policies are evaluated.
As global session policies are not evaluated for this endpoint, update the application authentication policy by allowing or denying access based on the network zone.
