<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00009mOj8jSACOkta Classic EngineOkta Integration NetworkAnswered2023-06-14T20:07:16.000Z2020-10-20T13:43:31.000Z2020-11-20T12:44:22.000Z

KarenH.16388 (The Aspen Institute) asked a question.

October 20, 2020 at 1:43 PM
Early Access Feature: O365 Pass Claim For MFA -- Is anyone using it?

Has anyone tested and using this early access feature: https://help.okta.com/en/prod/Content/Topics/Apps/Office365/Use_Okta_MFA_Azure_AD_MFA.htm? I think the known issues concern me a little although we are enforcing MFA with O365 on and off-network. It may be the missing piece for enrolling Windows devices that we haven't been able to get working with with O365/Intune and Okta. Would appreciate your input.

  • 5 answers
  • 2.2K views

  • KarenH.16388 (The Aspen Institute)

    Additional question: What we are essentially asking... there appears to be something lacking in the handoff between Okta and O365 or why is this early access feature needed? There is also an autopilot beta release that we hope to test. Again ... is there something lacking by just deploying O365 app WS-Fed with MFA required?

     

    Expand Post

  • tim.lopez1.5480328098306519E12 (Okta, Inc.)

    Hi Karen,

     

    I've escalated this over to the Customer Support team so they can get back to you with more information. They will reply here shortly. Thanks!

     

    Tim

    Okta, Inc.

    Expand Post

  • daisy.sun1.5046410359822651E12 (Okta, Inc.)

    Hi Karen,

     

    Thank you for contacting Okta Community. This EA feature is to satisfy the Azure AD MFA requirements for your WS-Federation Office 365 app instance. If you don't have any Azure AD MFA requirements in your environment, you don't need to enable this feature. If you need MFA for Office 365, you can simply configure an app sign on policy for your WS-Federation Office 365 app instance.

     

    If you have any additional questions or concerns, please open a support case with us and we can assist you further.

     

    Thank You,

     

    Daisy Sun

    Technical Support Engineer

    Okta Global Customer Care

    Expand Post

  • KarenH.16388 (The Aspen Institute)

    We have configured MFA in Okta at the org and WS-Fed Office 365 app level, but it does not appear to make the hand-off to Azure AD MFA when setting up new Windows 10 devices for zero touch deployment. Wondering if this EA feature is something we need to enable to satisfy the conditional access our desktop engineer has configured in Azure AD. Have people had positive results when enabling this EA feature https://help.okta.com/en/prod/Content/Topics/Apps/Office365/Use_Okta_MFA_Azure_AD_MFA.htm?

    Expand Post

  • KarenH.16388 (The Aspen Institute)

    We enabled the early access feature "O365 Pass Claim For MFA" but Windows 10 machines are still not able to log in and after reviewing our Okta logs and this PDF https://www.okta.com/sites/default/files/2020-09/Okta-for-Hybrid-AAD-Join.pdf, I understand why the "Deny user access due to app sign on policy" appears. Our Okta logs also shows ".../sso/wsfed/username13" for the Windows 10 Machine Logins, which only support Basic auth. I don't see a "custom" field indicated on page 8 of the PDF for adding "Windows-AzureAD-Authentication-Provider/1.0". Can anyone help?

    Expand Post
This question is closed.
Loading
Early Access Feature: O365 Pass Claim For MFA -- Is anyone using it?