We are currently setup to pass MFA claims to M365 (Azure AD). It seems to be working as expected but we are running into 1 issue.

In Azure AD Conditional Access we have a policy to Prompt for MFA when outside of our corporate network.

In Okta we also have a condition to prompt for MFA when outside of our corporate network.

For a new Login it works as expected when off-premises. Azure AD redirects to Okta, Okta authenticates the user with MFA and in Azure AD it shows in the logs as "MFA satisfied in token".

The issue has been when a user is on VPN, authenticates with Okta via Desktop SSO (No MFA), then disconnects from VPN or say reboots, goes home for the day, etc. The user then starts getting prompted to setup MS Authenticator. The Conditional Access Policy kicks in that requires MFA, the MFA claim is not passed in the token and Azure AD does not redirect to Okta since the token is still valid. Azure requires MFA and starts walking through the MS Authenticator walk through.

My question is has others seen this? Any way to tell Azure AD to send those SAML tokens that don't have MFA back to Okta when required? This seems like it's causing our end users much frustration since we are not rolling out MS Authenticator MFA.