mj4i9 (mj4i9) asked a question.
We are going through a process doing device trust with Azure Conditional Access policies. We'd like Okta to satisfy Azure AD Conditional Access policies, but it appears it doesn't integrate as "nicely" as other IDP providers (Duo's https://duo.com/docs/azure-ca). So my questions for the group:
1. When will Okta integrate directly with Azure AD Conditional Access policies, so that Okta can satisfy those MFA polcies. (Like Duo's)
2. How to accomplish a similar funcitinality to a direct integration, that does not invovled the "Claims Based Authentication", because that does not solve for every login to Azure/O365 in it's current implemntation. My testing thus far with this, is that Azure CA policies will fail, as the MFA claim isn't passed every time, as you're already authenticated to Azure/O365, bypassing Okta.
Hi Matt,
Thanks for posting! We get questions related to this fairly often.
Have you already gone over the documentation Okta has on how to use Okta MFA to satisfy Azure AD MFA requirements for Office 365?
https://help.okta.com/en/prod/Content/Topics/Apps/Office365/Use_Okta_MFA_Azure_AD_MFA.htm
Isaiah
Okta
Isaiah,
I have gone through that entire documentation, and in theory it only partially works. It only works for Office 365 apps that Okta sees for the WS-FEDERATION model. Anything behind Azure, the Azure portal, or Azure app integrations, this will not satisfy conditional access policies within O365. This claims based authentication, isn't a full fledged solution to the need to integrate to Azure AD, as there is no way to have O365 trigger an MFA prompt within Okta, if your session with Okta/O365 is already valid.
I see what you're saying Matt. I don't know of any existing timeline for updated Azure CA features/behaviors (and it seems pretty unlikely we'd have a precise timeline for your 1st question).
As for accomplishing similar functionality around the current implementation - I'd recommend opening a case with support and ideally pulling in your account team to get an SE engaged. If there are improved implementations out there that better satisfy your requirements, I haven't seen them documented. An SE might be able to assist with building something to fit your needs, and if you have specific improvements to request; submitting them via Okta Ideas will give you the most direct avenue for getting in touch with our developers for future implementation improvements.
Isaiah,
Okta
We've had to go down the route of "Okta MFA to satisfy Azure AD MFA requirements for Office 365" for some clients as well that are tied into Okta contracts and have their MS 365 tenant domains WS Federated to their Okta tenants and the Okta O365 Application rules not being able to control the clients' MS 365 applications token validity and prompt them for MFA on a regular basis. The known issues mentioned in the above mentioned article was a worry getting this through CAB right from the start and we were doubtful whether this will in fact work. After implementing initially it did look like a workable solution by using Azure conditional access policies to force client MS 365 applications (Teams / Outlook, SharePoint Online, etc) to regularly send the staff Okta MFA prompts. However we picked up that randomly users will get multiple MFA prompts for their open MS 365 apps and the MFA pass through sometimes won't work and they are stuck in an "infinite MFA loop"
The clients we went down this route all have legacy on-premise AD, their workstations / laptops are all still on-prem AD joined and Hybrid Azure AD registered to their respective MS 365 tenants, we have the Okta AD agents installed and Okta universal directory objects are imported from on-premise AD into Okta.
At this moment I don't see this working properly enough to be a production implementation, albeit the Okta article does mention it's an early access feature in Okta but getting a lot of headaches with this solution.