EgorE.48769 (Customer) asked a question.
I apologize for bringing up this topic again, because this has been discussed previously. But I think those answers are outdated as many of them reference "early access" Office365 MFA bypass feature flag that doesn't exist nowadays (probably out of EA by now), so I wanted to get a more up-to-date perspective.
I'm building a PoC Okta instance that relies on a third party identity provider and then passes authentication using WS-Federate manual mode to O365 which has MFA enforcement:
3rd party Idp --> Okta --> Office365
Everything works as expected, but I'm being prompted to enroll into "native" MFA of Office365 on first login. The third party IdP uses hardware tokens and is completely trusted, so I would like to avoid MFA prompt from Office365. What would be the best course of action to present MFA token to Office 365:
- Adding the same IdP one more time as "factor only" and configuring sign-in policy to use it? (I personally think it makes no sense, because even if this does work, two IdP trips will be necessary.)
- Merely flipping the "SupportsMFA" switch in O365 federation configuration?
- Anything else?
Thank you.
~Egor
Ok, "flipping the "SupportsMFA" switch in O365 federation configuration" does not help. I guess it makes O365 accept claims with amr:mfa, but obviously doesn't make Okta mint them.
Which makes me believe we are back to the mysterious "Office 365 Pass Claim For MFA" switch that I don't have in my tenant. Do I need to contact support in order to enable it?