TriH.41133 (Customer) asked a question.
Federating Microsoft O365 Federation
We are currently testing O365 federation with Okta MFA. Our users do get challenged for MFA when they SSO into O365.
However, if the user accesses Rich client or mobile clients for example, Microsoft Teams on their mobile device, they do not get challenged for MFA. One would think, that this should invoke the MFA challenge however, this is not the case. It seems that access is automatically granted .
Has anyone experienced this behavior and what steps have you taken to secure Rich and Mobile clients for MFA?
Hi Tri. Yes I would certainly expect a brand new session to always result in an MFA prompt by Okta, if the relevant policies are in place to enforce this. However do bear in mind that many of the Microsoft apps have extremely long sessions - up to 90 days. As a result Okta won’t be in the mix to enforce MFA, even if it wanted to To enforce MFA onto running Microsoft app session you would need to either:
Stephen-
Thank you for your input.
Regarding bullet point #2,implement conditional access inside Azure which will bounce users mid-flight over to Okta for MFA (please note you need some extra config on the Okta side for this). Can you elaborate on how that might be done or do you have some instructions on how to configure?
Essentially this CA policy would bounce it over to Okta for MFA once the Access Token ( JSON Web Token ) becomes invalid or refreshed: JSON Web Token https://docs.microsoft.com/en-us/office365/enterprise/session-timeouts
I opened support cases with Okta & Microsoft and they both seem to be pointing at each other. Not much help..
Hi Tri. Sure I can assist here. The best guide that I've found here for this is: https://help.okta.com/en/prod/Content/Topics/Apps/Office365/Use_Okta_MFA_Azure_AD_MFA.htm
This guide describes how you can link Okta and O365/Azure together so that any user required to complete 2FA by an Azure conditional access rule, is actually sent back to Okta for authentication. There's a couple of features and configurations that need to be enabled to support this. Let me know if you have any difficulties.
On your question, this is partially true:
"Essentially this CA policy would bounce it over to Okta for MFA once the Access Token ( JSON Web Token ) becomes invalid or refreshed: JSON Web Token"
If a user's session with Azure expires, and Okta has been setup as the associated Idp, they will get sent back to Okta for authentication. This isn't related to CA. However during a running/active O365 session if the user hits a policy enforcement rule as specified by CA, then they will be sent back to Okta for reauthentication/2FA - even if they have a valid session.
This might provide more information. If policies are in place they should always be prompted the first time on thick/mobile clients, but after that the session is managed by Microsoft ( unless the user takes direct action to kill the session such as reset password )
https://docs.microsoft.com/en-us/office365/enterprise/session-timeouts
Thanks Niall. I appreciate it