
User15982886881765563670 (Customer) asked a question.
The following environment.
Existing on-prem environment using Azure AD synch to manage 365 users (not a MS Hybrid).
We intend to maintain the AD Azure sync for changes, password, etc.
Introducing Okta to environment.
Identified one of the domains in tenant and using for test.
Implemented WS Federation for the domain.
Everything is working as designed: accessing mail via OWA, phone, Outlook client. Prompted with the Okta etc.
But came across one part which I found challenging: changing of the password.
Change the password: AD sync is fine. The AD Agent to Okta is ok (validate by logging into Okta with new password etc).
When I log onto 365 OWA – MFA executes as desired.
When I go to the phone app, the phone app is requesting an update for the account (due to password change). Okta pops up (MFA is SMS for the test account). Receive the code, use it, attempts to log on and then cycles.
The following breaks it down further:
changed the password again for the user. Validated it was updated in Okta and 365.
- Going to 365 via web client, worked without issue.
- I did have an issue with the phone again. Unfortunately I am not able to capture screen shots. But what occurred:
- I open up outlook app on phone.
- App requests that I update credentials for the user.
- When I do so – Okta opens and requests SMS push (the MFA set up for the user).
- I receive the SMS code.
- I enter code.
- One sees the app ‘connecting’ to 365, then comes back to the SMS push.
- This loop continues.
- I did notice a few things as I experimented.
- If I re-enter the SMS code, Okta states it is a single use and it has been used.
- If I put in a BS code, Okta calls me on it.
- (the items above would indicate that flow was fine in both directions)
- As you mentioned about wifi versus calling plans I waited till I left the location. I attempted from various locations including my home, and continued to have the same issue.
This morning, I planned to see if the error would continue, so I could dig more into the logs on Okta.
Something interesting occurred.
One my phone, prompted to update the credentials for the test user, when I did so, I was brought to Okta sign on page, and I put in the Okta username and password, which prompted for MFA and the push worked.
This is definitely different from yesterday.
Outlook with the test user profile, acted similarly this morning (a log on then push).
I am wondering if / where one can address this issue?

So, looking at this a little further, system logs on Okta show a 'success' for the single sign on for App. However MS is reporting failures due to "provided grant has expired" - which is associated with the password change.
I just reset the password again, and when the Outlook Mobile app became aware and prompts for sign in to the test account - and I select sign in - it goes directly to the MFA prompt. and basically loops. Again Okta is showing successes. Mobile App in 365 Sign-in Logs (reflects the failure).
So, how do I get Okta to prompt for the username and password on Mobile immediately versus this MFA (if I hit the back on the Outlook App, it goes back to a blank screen, then goes to the Inbox.)
I had to delete the account from the phone and re-add, but even that took a few hoops. IE it first prompted for the MFA, was stuck in a continuous 'connecting to 365', then I hit a back button, and then it prompted for a password. Once entered, it brought me to the Okta app page for the user. Killed it. Went back into Outlook and 'all was well'. SMS needs to be an option based on organizational considerations.
Hello Dan,
Sorry for the trouble! I have escalated this issue to our support team who will reply to you here shortly.
Thanks!
Tim
Okta, Inc.
After not getting any replies from the community (appreciating that the issue may be hard to describe - but as it was a phone interface, not too many options otherwise). I opened a ticket
00973177
I did send an update yesterday morning (approx 24 hours ago) to the ticket, including a link to a video of the issue.
I also did receive a VM from an engineer last night. I had to replay the message a number of times as it appears the individual may have been speaking on a speaker phone, and the spoke rather quickly so some of the details were a little garbled.
However, the one issue I can take away from the message which would be helpful if can be addressed:
the engineer mentioned his workday started 4:00 PM Pacific.
I can appreciate that in a system down situation, but we are central time and generally work 8:00 AM - 5:00 PM Central.
It would be appreciated if consideration can be made in that regard.
Greetings!
Following the issue I would like to check if Modern Auth is enabled in your ofice settings.
I am adding a link that could be helpful: https://support.okta.com/help/s/article/Office-365-sign-on-policies-are-not-being-enforced-when-accessing-email-from-a-third-party-email-client?language=en_US
My apologies for delay. Thank you for adding this information. I have a case open. I will be reviewing. The issue only occurs with the MS Client after changing a password. The MFA 'works' (and eventually we are prompted for the new password with the email client after a password change - but not as quickly as all other platforms, including 3rd party (ie Android native client). I look forward to reviewing.
Again thank you. The link addresses an issue which is not aligned with our situation. Thoroughly reviewed, and none of the symptoms applied. I did a much more thorough point by point explanation in an associated ticket that is open on the issue.