We have M365 in our environment with Okta as an IDP. We have existing Okta signOn policies for Mobile and Non-Mobile devices. Both these devices use InTune for device management. Mobile devices SignOn policies are working fine and for non-mobile devices we have existing signOn policy to prompt for MFA is user is trying access M365 apps outside of corporate network which works fine until we recently started to also AAD domain join these devices. The process to AAD domain join require user to start Windows AutoPilot. Windows AutoPilot process require one time MFA during PIN create step. Since existing Okta SignOn Policy doesn't require MFA for users trying to authenticate within the corporate network and there is nothing in the Request Headers which can be used to differentiate this particular scenario through Okta SignOn policy as a result user goes into infinite loop as Azure is expecting MFA claim but Okta is not promptingf or MFA because user is within corporate network. We contacted Microsoft and they said, the only way to differentiate is using query string URL send in the original redirect url to the IDP but there is no policy which can be created based on the WF-fed query string url. We are at a stand still and would like to know if there is any workaround and it's big thing for large enterprises like ours.

We opened Support ticket but haven't been able to get positive response which is surprising.

Any help is highly appreciated!