00uhs9p2jjsgz1E6V351.5559584785968367E12 (Customer) asked a question.
We ran into this issue when rolling out hybrid azure ad. We were told it was a backend issue but now I see it in the documentation. The fix was to create an exclusion for windows 10 logins as legacy auth. (Unacceptable) Am I missing something?
https://www.okta.com/resources/whitepaper/using-okta-for-hybrid-microsoft-aad-join/
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
Hello.
Please note this concept of legacy authentication is based on the Microsoft settings. So Okta define legacy and modern authentication as the following protocols.
A. Legacy Authentication Protocols
Protocols like POP and IMAP, which do not support modern authentication methods are referred to as legacy authentication protocols.
B. Modern Authentication Supported Protocols
Protocols like, Exchange ActiveSync, EWS, MAPI, and PowerShell, which support both basic and modern authentication methods are classified as modern authentication protocols, in the context of this document.
https://www.okta.com/resources/whitepaper/securing-office-365-with-okta/
Please note Okta supports modern authentication for multiple authentications as can be see here in this link:
https://help.okta.com/en/prod/Content/Topics/Security/O365_Client-Access-Policies.htm
Okta Device Trust for Windows allows you to prevent unmanaged Windows computers from accessing corporate SAML and WS-Fed cloud apps. It works with any browser or native app that can access the certificate store when performing the federated authentication flow to Okta. This includes Edge, Internet Explorer, Chrome, and Microsoft Office clients that support Modern Authentication.
https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Mobile_Device_Trust_Windows-desktop.htm
But please note the kind of authentication the deployment is using set by Microsoft Tools. For more information please refer to Microsoft documentation:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication
https://www.microsoft.com/en-us/microsoft-365/blog/2015/11/19/updated-office-365-modern-authentication-public-preview/
So if currently windows login is only available with legacy authentication you would need to confirm with Microsoft what is the reason for only use legacy authentication. That's strictly set by Microsoft. From okta side as far as you set modern authentication policies and if the client support it should work as explained in the Okta_Mobile_Device_Trust_Windows-desktop document.
Regards
Thank you for the response. We are talking about the PRT (Primary Refresh Token) and Office 365 endpoints that work with Hybrid Azure AD devices. I had to create an explicit legacy auth policy to stop Okta from blocking them. I was told this was an issue on the backend. I should not have to keep this policy in place.
FROM SUPPORT:
However, as stated this is something that is being worked on by our engineering team. Support cannot assist with this.
The best suggestion is to leave the Legacy Auth client flow allowed for Windows machines only and block it for all other devices. As stated on the call, our engineering team is aware of this issue and are working to have this resolved. However there is no ETA for this to be fixed.
RequestUri /app/office365/exkpxv5c4pD2k3lzd356/sso/wsfed/username13
ThreatSuspected false
Url /app/office365/exkpxv5c4pD2k3lzd356/sso/wsfed/username13?
LegacyEventType app.app_instance.sign_on_policy.access_denied
The username13 is the endpoint used for AzureAD Authentication. LegacyAuth uses /app/office365/{key}/sso/wsfed/active
Thank you
Brian